Insurers are tightening eligibility requirements for cyber insurance policies as cyberattacks spread rapidly around the world. Ransomware attacks increased his 80% last year, prompting underwriters to introduce a host of new provisions designed to prevent ransomware and thwart record numbers of claims. Among these are the mandates to enforce multi-factor authentication (MFA) for all administrative access within a network environment and to protect all privileged accounts, especially machine-to-machine connections called service accounts.
However, identifying gaps in MFA and privileged account protection in your environment can be very difficult for organizations. This is because most commonly used security and identity products don’t really have the utility to provide this visibility.
This article describes these identity protection challenges and suggests steps your organization can take to overcome them. Free Identity Risk Assessment.
How can I protect my privileged users if I don’t know who they are?
Underwriters now require MFA for all cloud-based email, remote network access, and all administrative access to network infrastructure, workstations and servers, directory services, and IT infrastructure. The last requirement here is the biggest challenge. Let’s find out why.
The problem is that defining administrative access is easier said than done. How can I create an accurate list of all administrative users? Some are easily identifiable, such as IT staff and helpdesk staff, but what about the so-called shadow administrators? Includes ex-employees who may have left without deleting their account. These employees continue to exist in the environment with privileged access. There are also users with admin access who may not have been formally assigned as admins, and possibly temporary admins whose accounts were not deleted after the reason for creation was completed.
In other words, to protect all user accounts with MFA, we first need to be able to find them. If you can’t do that, you’re at a loss before considering the best protection strategy.
The Service Account Case Study: An Even Bigger Visibility Challenge
Cyber insurance policies also require organizations to maintain a list of all service accounts. These are accounts that perform a variety of tasks in your environment, from scanning machines and installing software updates to automating repetitive administrative tasks. To be covered by the policy, an organization must be able to document all service account activity. This includes source and target machines, privilege levels, and supporting applications or processes.
Service accounts are a prime focus for underwriters because they are often targeted by attackers due to their highly privileged access. Attackers know that service accounts are often not monitored, so using them for lateral movement goes undetected. Attackers use stolen credentials to compromise service her accounts and use those accounts to access as many valuable resources as possible to steal data and spread ransomware her payload. I will try
However, the challenge of creating an inventory of all service accounts is even more difficult than a human administrator can do. The reason is that there is no diagnostic tool that can detect all service account activity in your environment. That means it’s hard at best to count the number that exist exactly.
Also, it is very difficult to identify specific behavioral patterns (such as source-to-destination machines and activities) across all accounts unless administrators maintain meticulous records. This is due to the various tasks that service accounts perform. Some accounts are created by administrators to run maintenance scripts on remote machines. Others are created as part of software installation and perform updates, scans, and health checks related to that software. In conclusion, it’s nearly impossible to get full visibility here.
A good assessment can identify gaps in your identity protection
To qualify for cyber insurance policies, organizations must close the identity protection gap. But you can’t address what you don’t recognize, so you have to identify those gaps first.
With the help of a thorough evaluation, the company finally looked at all users and their privilege levels, identified areas where MFA coverage was lacking, identified areas where old passwords were still in use, etc. You’ll be able to see weaknesses in other identity protections. Orphaned user accounts or shadow administrators in your environment.
By focusing on authentication, proper assessment reveals exactly how users are gaining access and identifies currently unprotected attack surfaces. These include all command-line interfaces and service account authentication, making it easy for organizations to meet new cyber insurance requirements.
A rigorous assessment may also reveal additional areas of vulnerability to attack, such as file sharing and legacy apps, that the insurer doesn’t currently need. Coupled with the actionable recommendations, organizations will soon find their security posture dramatically improved.
Do you know where your gap is? Sign up today for a free Identity Protection Assessment by Silverfort to gain complete visibility into your environment and uncover deficiencies that need to be addressed to help your organization qualify for cyber insurance policies.
