CISO research advocates ’30 day sprint’ to get privileged credentials up to date
If you had a panel of Global 1000 chief information security officers (CISO) at your disposal, what would you ask them? A new report issued by CyberArk argues organisations can improve their security fitness and protect privileged credentials in a ’30 day sprint’.
The report outlines a ‘proven framework’ to implement a set of key controls around privileged credentials, noting that organisations can make gains ‘with a sufficient sense of urgency’. In other words, organisations get their act together after they have been breached simply because they have to; and as John Gelinne, managing director of advisory cyber risk services at Deloitte & Touche points out, “putting security controls in place in the middle of a cyber-attack is like putting storm windows on your house in the middle of a hurricane.”
When it comes to data breaches, the numbers continue to rise; according to the Identity Theft Resource Center, attacks against US companies and government agencies hit record numbers in 2016, up 40% from the year before. “Compared with implementing controls in a hostile, post-breach environment, doing the work proactively is likely to proceed relatively smoothly,” the report notes.
So what are the key takeaways from the report? CyberArk puts down several recommended practices; most of which are common sense, but worth repeating. Organisations need to limit the exposure of privileged credentials, enforce strong passwords and encrypt them, and minimise the number of administrator accounts, the report notes.
“Even if CISOs aren’t able to put all of the controls in place in 30 days – the intent is obvious,” said Steve Glynn, CISO of the ANZ Banking Group. “You have to prioritise. The framework breaks it down – ‘start here. Do these things first’. It’s absolutely valid whether it’s 30, 60, or 180 days.”
Naturally, it’s worth noting that this is an ongoing process; after the ‘sprint’ has taken place, CyberArk notes organisations will encounter issues such as adding controls to more accounts, increasing the depth of controls, and refactoring legacy applications. “Applications, especially legacy ones, are often designed to require administrator privileges and have passwords embedded in ways that make password rotation difficult,” the report notes. “Ensure in general, all applications are granted the minimum necessary privileges and use passwords securely.”
You can read the full report here (registration required).
- » 2017’s anticipated attacks for CIOs: DDoS, IoT, and more
- » It’s time to re-energise IT – and make the IT department more than a M*A*S*H unit
- » WebEx most popular enterprise app says MobileIron – yet organisational bad practices remain
- » Bitglass unveils new agentless mobile security patent, takes aim at MDM
- » The software-defined workplace: What will work look like in 2017?