Cyber attacks happen all the time. But when it comes to industry scrutiny, the timing couldn’t have been worse for Citrix. Just as pretty much the entire cybersecurity industry was busy meeting at RSA 2019 in San Francisco this month, the digital workspace technology firm announced that its internal Citrix network had been breached.
The Citrix attack — which involved a strategy known as password spraying — became instant watercooler conversation across the Moscone Center. That’s the wrong kind of RSA buzz for a company, but the right kind of buzz to get our industry more focused on Privileged Access Management. Here’s my 2 cents on how to enhance that focus on the PAM areas most in need of attention and reform.
The Scale of the Threat
The Citrix case is troubling on a number of fronts. Multiple reports have linked the targeted network intrusion on more than 6 tb of Citrix data to IRIDIUM, an international cyber criminal organization with ties to Iran. IRIDIUM is associated with previous attacks on hundreds of government agencies, technology firms and energy companies around the world.
The fact that hardened threat actors capable of nation-state level attacks on critical infrastructure are now embracing PAM weaknesses as their preferred mode of entry is just the latest of many wakeup calls. But as I told many of my colleagues at RSA, we need to augment the general alarm with some specifics — targeted areas within PAM to focus our cyber-protection efforts.
Zeroing in On PAM Weaknesses
One of those areas is obviously the age-old problem of the password — writ embarrassingly large in the Citrix case by the threat actors’ use of password spraying. That’s when threat actors brute force many accounts with a small number of weak, common passwords. Once inside, they can avoid additional levels of security as they move laterally within the system.
Things get even easier for threat actors to the extent they can leverage another weakness I’d like to flag — the vulnerability of local admin rights. Admins have 24⁄7 access to networks; it’s like one-stop-shopping for access and power within targeted systems. Exhibit A here would be the recent analysis that 94-percent of Microsoft vulnerabilities can be mitigated by simply turning off admin rights.
Evolving PAM Security
If we as cybersecurity experts are going to move our industry forward, we’re going to have to elevate PAM as one of the most common and significant vulnerabilities in modern digital systems. And, again, we’re going to have to do more than just sound the general alarm. We have to sharpen our efforts on specific challenges to save data, value and — certainly wherever critical infrastructure is involved — even lives and civil order.
Thankfully, that needle is starting to move a bit more, and not just because of Citrix’s ill-timed object lesson during RSA this year. Gartner has now put PAM as “Project No. 1” — first on the list — in it’s Top 10 Security Projects for 2019 report. Gartner’s Brian Reed explained that “PAM projects must support on-premises, hybrid and cloud environments and, at a minimum, use multifactor authentication (MFA) for all administrators and third-parties.”
At an absolute minimum, I would add. In fact, I’ll dedicate a future post to how we can all go well beyond that absolute minimum — for a more robust PAM security posture commensurate with the increasingly critical and central role is plays in the cybersecurity picture.