Over the last four months, I’ve received more spam offers, scam texts and fake emails than at any other point in my career. And I know why: in September, I joined SecurID as Chief Product Officer and updated my LinkedIn.
That update sent a signal to observant cybercriminals around the world. But the scammers have only gotten worse — and more creative — recently: after another executive joined SecurID, several fake versions of that colleague started texting me about missing Amazon gift cards.
Any C-level executive is going to be a magnet for spear phishing. Executive accounts tend to be over-entitled, and employees will defer to requests coming from leaders’ emails. That vulnerability isn’t ideal, but at least it’s evident.
The greater problem is that there are far too many unknowns that cybercriminals can exploit. Ungoverned accounts — including unnecessarily over-entitled accounts, inactive accounts, service accounts and orphaned accounts — are a large and growing problem. In a recent survey of security experts, four out of five respondents reported that the total number of identities they manage had more than doubled, and a quarter reported a tenfold increase since the pandemic began. The survey also found that 85% of organizations have employees with “more privileged access than necessary.”
But at least those organizations know how many identities they need to defend: another survey found that 40% of businesses don’t look into how many service accounts they have. The same survey found that some businesses have five times more service accounts than real employees.
The Great Resignation is only poised to make this problem far worse. After higher-than-usual quitting rates in August, September and October, more than “4.5 million people left their jobs voluntarily in November, a record high in two decades of tracking,” per the New York Times.
That degree of disruption is poised to cause havoc with security teams worldwide: as employees shift roles and new hires onboard, security teams will have less bandwidth to correctly track and provision new identities or deactivate old ones. It’s akin to the stresses that security teams face during the holidays — only now, this challenge is set to last longer than just one season.
Use zero trust principles
There isn’t a technical innovation that can easily solve this issue. Moreover, even though ungoverned accounts pose an immediate and growing threat, security leaders can’t treat these as isolated incidents or rush to put out one fire after another.
Instead, these emerging challenges demand that security professionals double down on a new approach to the way organizations manage identities. Zero trust principles are a great place to start, but cybersecurity leaders need to implement systemic change.
Security professionals should start by developing a thorough understanding of who has access to what, why they need it, what they can do with it, and how they are using it. Mapping those users and their entitlements might seem like table stakes, but in cybersecurity, table stakes can be priceless. After all, hackers breached Colonial Pipeline’s network through a virtual private network account that was no longer actively in use.
Once security teams have that visibility into access granted to all accounts, they can begin preparing to institute zero trust security and review every access or entitlement request in real time. Today, security systems should be able to use contextual information to inform their decision-making: if an employee makes a usual access request at a typical time from a known device and using a familiar IP address, then the security system should be able to process that request with a high degree of confidence.
Moving toward zero trust can help businesses control elastic cloud resources, services accounts and robot process automation, which are driving identity sprawl and significantly expanding the attack surface. Gartner expects that businesses using cloud resources should expect at least 2,300 least privilege policy violations, per account per year. It’s easy to see why, given that 61 percent of organizations said that their cloud environments changed every minute, and given that IBM found that cloud misconfigurations were the third-most frequently used initial attack vector in all data breaches last year.
We’ve already seen major breaches result from misconfigurations: the 2017 Equifax data breach, which exposed the personal information of 147 million people, resulted in part due to an expired security software certificate. And that was just when security professionals had human users to worry about: Deloitte’s Global Robotic Process Automation (RPA) Survey found that nearly three quarters of businesses expect to begin rolling out RPA by 2027. If security teams roll out automated resources that can make up to 10,000 decisions per minute — and that are permitted to spin-up new identities — then they should put automated controls in place that can scale and react accordingly.
Cybersecurity leaders need to modernize attestation and bring identity governance in line with current disruptions because bot accounts, the Great Resignation and ungoverned accounts are combining to form a perfect storm. Although many employees may know not to trust fake versions of their colleagues asking to reset their password, the problem is growing far larger — and far faster — than any single identity.