Verizon’s Data Breach Report: Privilege without Control Is Bad News

In my previous life working on endpoint data protection, the annual Verizon Data Breach Investigations Report was required reading.  The report is unique in its coverage of real data breach incidents, its rigor of analysis, and its insights into where and why we should think about security in our own IT environments.

This year’s report is no exception. It’s a relatively brief 62 pages, but if you want just the highlights, you can start with the executive summary.

Three things stood out for me in this year’s analysis of breaches:

  • Over 50% of breaches resulted in servers being compromised.
  • About 80% of successful hacks involved authentication-based attacks.
  • About 80% of successful attacks involved methods with low or very low relative difficulty.

This isn’t rocket science. (Okay, it’s computer science.)  Servers (especially servers with data at rest) are where the action is, and the simplest and most direct way to get to them is to leverage someone’s legitimate administrative privilege; or, as the report puts it:

“…the easiest and least-detectable way to gain unauthorized access is to leverage someone’s (or something’s) authorized access. Why reinvent the wheel?”

This is exactly why we all need to take a hard look at the state of privilege management across our users and resources.

Attackers depend on being able to leverage accounts with privilege to get through our defenses.  We can take meaningful steps to significantly reduce their attack surface by taking control of the way we manage user and service privilege.  At the same time, controlling privilege will improve our ability to pass compliance audits, both internal and external (e.g. SOX, HIPAA, PCI-DSS, etc.)  We can, for example:

  • Implement the principle of least privilege, which means limiting user and administrator access across your systems and resources to only the applications and information their job requires
  • Grant privileged access on a per-service or per-resource basis instead of granting wide-open administrative privilege
  • “Timebox” privilege for contractors and third parties
  • Audit privileged actions
  • Unify identity policy management to reduce errors, ensure consistency across systems, and simplify your administrators’ lives by eliminating “swivel chair” administration

In case you know someone who needs more persuading that it’s time to think about privilege management, consider that among the critical security controls listed by the Center for Strategic & International Studies, the control that addresses more of the top action threats in the Verizon report than any other is controlled use of administration privilege.  (See the column for control 12 in Figure 46: CCA’s Critical Security Controls mapped to common VERIS threat actions on page 58 of the report.)

The report also makes a strong case that, for certain types of organizations, it’s not a matter of whether you will be breached – it’s a matter of when.  And that means that we should stop pretending that it’s never going to happen to my organization, and that we should figure out how we would respond if and when it happens, or as the report puts it:

“But we must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Let’s stop treating it like a backup plan if things go wrong, and start making it a core part of the plan.”

Clearly, a critical component of your response plan will require strong, centralized auditing in place for actions taken with administrative privilege, both by users (e.g. administrators) and systems (e.g. “service accounts”).  With auditing in place, you’ll be better equipped to determine where, when and how a breach occurred, which is key to understanding the scope of the breach as well as how to contain it.

Taken together, getting control of your user and system administrative privilege and implementing strong, centralized auditing for privileged actions will help you prevent attacks on your IT infrastructure, better enable you to meet compliance requirements for regulated data and systems, and make it easier for you to respond if and when you experience a breach at your organization.

These are some of the reasons we created the Centrify Suite – to enable customers to unify identity and audit policy across all the servers in their data center (UNIX, Linux, and Windows) through a “single pane of glass”.  Did you know that Centrify added support for privilege management on Windows in Centrify Suite 2013?  I think that the need for a better solution for privilege management on Windows Server is grossly underappreciated, and I’ll be writing more about it in future blog postings.

You can find the Verizon 2013 Data Breach Investigations Report online at:…

And you can find more information about Centrify Suite 2013 at: