With cyberattacks around the world escalating rapidly, insurance companies are ramping up the requirements to qualify for a cyber insurance policy. Ransomware attacks were up 80% last year, prompting underwriters to put in place a number of new provisions designed to prevent ransomware and stem the record number of claims. Among these are a mandate to enforce multi-factor authentication (MFA) across all admin access in a network environment as well as protect all privileged accounts, specifically machine-to-machine connections known as service accounts.
But identifying MFA and privileged account protection gaps within an environment can be extremely challenging for organizations, as there is no utility among the most commonly used security and identity products that can actually provide this visibility.
In this article, we'll explore these identity protection challenges and suggest steps organizations can take to overcome them, including signing up for a free identity risk assessment.
How Can You Protect Privileged Users If You Don't Know Who They Are?
Underwriters are now requiring MFA on all cloud-based email, remote network access, as well as on all administrative access for network infrastructure, workstations and servers, directory services, and IT infrastructure. The last requirement here is the biggest challenge – so let's examine why.
The problem is that defining administrative access is easier said than done. How do you compile an accurate list of every admin user? While some can be easily identified – for example, IT and helpdesk staff – what about so-called shadow admins? These include former employees that may have left without deleting their admin accounts, which then continue to exist in the environment along with their privileged access. As well, there are also users with admin access privileges who may not have been officially assigned as admins, or in some cases temporary admins whose accounts weren't deleted after the reason for their creation was complete.
The bottom line is that in order to secure all user accounts with MFA, you first need to be able to find them. And if you can't do that, you're at a loss before you've even started considering what the best protection strategy is.
The Case of Service Accounts: An Even Bigger Visibility Challenge
Cyber insurance policies also require organizations to maintain a list of all their service accounts. These are accounts that perform various tasks in an environment from scanning machines and installing software updates to automating repetitive admin tasks. To qualify for a policy, organizations need to be able to document all service account activities, including source and destination machines, privilege level, and the applications or processes that they support.
Service accounts have become a major focus for underwriters because these accounts are often targeted by threat actors, due to their highly privileged access. Attackers know service accounts are often unmonitored, therefore using them for lateral movement will go undetected. Attackers seek to compromise service accounts using stolen credentials then use those accounts to get access to as many valuable resources as possible in order to exfiltrate data and spread their ransomware payload.
The challenge of inventorying all service accounts, though, is an even greater one than doing so for human admins. The reasons is because there is no diagnostic tool that can detect all service account activity in an environment, meaning that getting an accurate count of how many exist is challenging at best.
As well, unless meticulous records have been kept by admins, determining every account's specific pattern of behavior – such as their source-to-destination machines as well as their activities – is extremely difficult. This is because of the many different tasks that service account perform. Some accounts are created by admins to run maintenance scripts on remote machines. Others are created as part of software installation to perform updates, scans, and conduct health checks related to that software. The upshot is the getting full visibility here is close to impossible.
The Right Assessment Can Identify Gaps in Identity Protection
To qualify for a cyber insurance policy, organizations need to close their gaps in identity protection. But first those gaps have to be identified, because you can't address what you're not aware of.
With the help of a thorough assessment, companies will finally be able to see all their users and their level of privilege, identify any areas lacking MFA coverage, and also get a picture of other identity protection weaknesses, such as old passwords still in use, orphaned user accounts, or any shadow admins that are in the environment.
By focusing on authentications, the right assessment will reveal exactly how users are gaining access and identify any attack surfaces not currently being protected. These include all command-line interfaces and service account authentications, which will allow organizations to meet the new cyber insurance requirements with ease.
A rigorous assessment can also uncover additional areas not currently required by insurers but still vulnerable to attack, such as file shares and legacy apps. Coupled with actionable recommendations, organizations will soon find their security posture dramatically improved.
Do you know where your gaps are? Sign up today for a free identity protection assessment from Silverfort to get complete visibility into your environment and uncover any deficiencies that need to be addressed so your organization can qualify for a cyber insurance policy.