Updates

Privileged access management makes you more secure by permitting least-privileged access to your most important information and endpoints at the right time and only when it is needed. It is a fundamental element in the Zero Trust architecture. To maximize your security and investment in PAM, we are reviewing common privileged access management mistakes that you should avoid.

Every business has users who need privileged access to its data and endpoints. These can be your employees, partners or contractors. Protecting these credentials and implementing best practices makes sure that your business reduces its security risks. Committing the PAM mistakes outlined below undermines your security and investments. In some cases, these mistakes remove the strengths of having it in the first place.

What are the Risks of PAM Mistakes?

Of the four privileged access management mistakes we review below, you will notice that many are procedural in nature. These procedural mistakes create vulnerabilities in your security and undermine your PAM implementation and its efficacy. These are particularly important to avoid if you are striving to attain cybersecurity architectures like Zero Trust.

Other PAM mistakes revolve around mistakes a privileged user their self may commit. Mistakes can happen anywhere, but when a user with privileged access commits a mistake that opens you up to a security breach, the outcome is much more devastating.

That’s why following best practices and avoiding the privileged access management mistakes below are good first steps to take to make sure your implementation is leveraging all of its strengths and avoiding weaknesses that undermine your implementation’s benefits.

Common Privileged Access Management Mistakes

Your Roles are Assigned Based on Job Title

This is an easy mistake to make. As you are developing your implementation and determining roles, it’s common to start with your job titles. It’s easy to assume that job titles should equal your privileged roles. These are not the same thing.

Your Systems Administrators may have very different scopes between their roles, for example. Especially if one is a Windows systems admin versus the other, who might be a Linux system admin. Do they really need the same access to the same things? Or should their access only be permitted to something deeper about their roles and performing the important elements of their role within the business?

Determining these roles and what is different about them, beyond just the job title, are key elements to define. By committing this mistake, you are not enabling the least-privileged access needed for the assigned roles and are giving up the benefits of a strong PAM implementation.

You are Sharing Your Privileged Account Credentials

Credential sharing is common. We’ve discussed the issues with it in the past, but sharing of credentials among your most privileged accounts is an even greater security risk. If your credentials are shared across your plant, for example, what happens when an employee or contractor no longer works there?

In many cases, businesses do not change the credentials of these privileged accounts. It can be difficult and time consuming to do, especially when there are many. Instead of doing anything, these former users retain all of that knowledge of how to access your network while also having all of the privileges to your most important endpoints and data that this knowledge grants them.

It’s a considerable security risk and makes it very difficult to understand who did what, should a breach occur.

Not Protecting Your PAM Accounts with Additional Authentication Factors

Your most privileged accounts need additional verification measures attached to them to authenticate the user gaining access. One of those additional measures should be an MFA solution to ensure that simply having user credentials is not sufficient enough to gain access to your most important information or endpoints.

If you’re committing the privileged access management mistake mentioned above, in conjunction with this one, you have very little in the way between a user knowing how to access your endpoints and you being able to stop them.

Using a Privileged Account for Everything

Your privileged accounts should be to access and perform the role as necessary, when necessary. Part of enabling least-privileged access as a best practice is providing it only when it is needed. If a user is using their privileged account to surf the web, check email or do other functions that don’t pertain to that role’s requirements specifically, they should not be using that account anymore.

If a user accesses email on their privileged account, for instance, and falls victim to a phishing attempt, then one of your company’s most critical accounts is now compromised. These accounts should be kept as secure as possible.

Avoid Common PAM Mistakes and Follow Best Practices for Heightened Cybersecurity

By avoiding this common role based access mistakes, you will be one step closer to achieving a Zero Trust-worthy cybersecurity implementation. We’ve written extensively about the importance of privileged access management. For continued reading, we suggest our Secure Remote Access Maturity Model as well as our RBAC Best Practices posts as your next resources.

If you have any questions about your implementation or want to know where to start, you can always contact us here.

Companies suffer from cyber attacks every day, testing their defenses and their preparation. How to respond to a cyber attack is a key step in reducing damage or fallout from these attacks.

A poor response can result in harming your reputation, loss of life or injures in the event of an OT attack, loss of money, or all of these things. While avoiding attacks by establishing a Zero Trust-level defense should be your goal, you need to prepare for the event that something happens.

To borrow from the Zero Trust mindset – you must always assume a breach has happened or will occur. In that case, knowing how to respond to a cyber attack is an important step in achieving your Zero Trust mindset and preserving the future of your organization.

Responding to a Cyber Attack

Having an incident response plan should be something you have clearly defined from the beginning. The last thing you want is to be outlining how to respond to a cyber attack as it is happening. This will result in confusion, poor communication and loss of critical time and information that can help contain the current attack or prevent the next one.

This response plan will include people, processes and technologies that you will rely on to act quickly and confidently when responding to a cyber attack to mitigate further damage. With this in mind, we’ll cover the important pieces below that you need in place to make sure your response to a cyber attack is effective.

Develop Your Incident Response Plan

When responding to a cyber attack, you want a designated crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business.

Additionally, you want to make sure you know who in law enforcement you should be contacting and they know who you are as well. This will include anyone from the local police up to the FBI, depending on the type of threat.

Next, you’ll want to assure the availability of key personnel. Not only should your personnel be identified and know what their role is for responding to a cyber attack, you must make sure they are available to respond. You may also need to identify means to provide surge support for responding to an incident.

You must be ready to act decisively. Identifying your team, making them aware of their roles and practicing your response plan will ensure you know how to respond to a cyber attack. Time is critical when responding to a cyber attack, as even small mistakes or confusion can cost you greatly.

Know How to React to a Cyber Attack

In addition to planning your team, your plan must consider and account for the various types of attacks you could receive. Practicing responses to these attacks and knowing what to do for each will help you remain confident and act decisively when responding to a cyber attack.

If you suffer a DDoS attack, you should know the proper steps and procedures, such as contacting your ISP and telling them you’re under attack or recognizing that it could be that the attackers are trying to break in during this attack. Look at the machines that were under attack and examine them carefully.

However, if it’s a malware attack, unplugging the machine and removing the disc drive, then isolating and removing the files is a better response. If you suffer a trojan attack, removing the infected system out of your network to contain the virus should be your action.

Your goals will always be to isolate, to contain and to stop the spread of the threat, while preserving the evidence and documenting exactly what you did and when. Any response must be controlled, planned, audited and have a clear and complete set of logs of all human activity, dates, times and responses from that activity.

This provides clear guidance to more than the person remediating the attack, it also shows all resources from internal, contracted third party and government, about what was done, how, by whom and the order of events and their associated actions. Of course, the control of access to affected assets is critical to forensic understanding of the adversary and your response execution.

Preparing Your Defenses

While knowing how to respond to a cyber attack is critical to reducing unwanted outcomes for your business, preventing them in the first place is your most ideal step. That’s why we discuss how to achieve Zero Trust and have maturity models based around its architecture. It’s also why our cybersecurity platform is ready to help you enable a Zero Trust architecture.

If you need assistance in attaining this level of security or don’t know where to start, you can talk to us here to learn what you can do to increase your security.

Supply chain security is a cybersecurity challenge with multiple touch points between vendors and partners, contractors and others. It’s important that you are doing what you can to enforce proper supply chain security best practices. Being able to support vendors while protecting your data and processes is critical to your business.

We’ve previously discussed the importance of supply chain security and how you must account for it in order to go beyond a Zero Trust cybersecurity baseline. Today, we’re taking that further by providing the top supply chain security best practices.

Why is Supply Chain Security Important

Supply chains are becoming ever more complex. As technology has introduced incredible efficiencies into supply chains, it also brought new risks as new touchpoints within the chain were created. Therefore, mitigating these risks that are introduced is critical to maintain the security of your network.

Maintaining this security can feel like a moving target, however. As supply chains grow and include even more third parties, all needing certain levels of access to your network in order to perform their role, it makes a potentially easy point of weakness in your defenses. That increased integration with your partners and the network access and data being shared, on top of unknown disclosures around security practices, can feel like a difficult combination to secure.

This is why we stressed the importance of evaluating your supply chain in our beyond Zero Trust series. Evaluating your supply chain cyber security means considering more than the product itself of a company you are considering, or how a partnership can add value to your business. You need to consider what those businesses are doing to ensure they are safe from an attack and are protecting those involved in their supply chain. You are only as strong as your weakest link in this chain.

How to Protect Your Supply Chain

It’s important to remember three key things when securing your supply chain:

• Your defense should be based on Zero Trust. Never trusting connections or devices, and assuming that a breach can happen any time.
• Breaches result from a lack of cybersecurity knowledge or proper security. Ensure that your supply chain is taking cybersecurity as seriously as you are, educating their employees with cybersecurity training and doing assessments like the SOC for Supply Chain
• Every link in your supply chain must be strong. You are only as strong as the weakest link within it.

With these principles in mind, let’s look at the supply chain security best practices you should be following to make sure that you are on your best defense against a potential breach.

Supply Chain Security Best Practices

Assess Your Partners – We’ve stressed the importance of this before, but you are truly only as strong as the weakest link in your chain. You should make sure before accepting anyone into your supply chain that you are evaluating how they manage their own security. Do they train their team on cybersecurity best practices and penetration test their product and company? Security requirements must be an important part of these discussions. Once they have been officially accepted into your supply chain, your team should be working to address vulnerabilities or security gaps that could be introduced.

Role-based Access Controls – Secure, least-privileged access needs to be emphasized. You should know how your supply chain accesses your network and you should only be granting access that allows them to accomplish their role and nothing else. You should always be verifying their identity, just like in the Zero Trust model, no inherent trust should be permitted to any partners.

Know your assets and who is accessing them – In addition to access control policies, it’s important that you know the assets on your network. You won’t be able to properly define who should be accessing what without the knowledge of what those assets are and how they are configured. More important, this is something you should be doing all the time, not just once and then moving on. If you do not know where the front door of your business is, then you can not set a proper perimeter to defend it.

Incident Response Planning – We talked about critical elements in an incident response plan, and it extends to your supply chain as well. You must be prepared in the event of a breach and have protocols in place to act fast. Any time wasted with confusion can mean drastic impacts to your business. Everyone must be prepared and know their role should an incident occur that needs your team to react quickly.

Steps for a Better Defense

These supply chain security best practices will get you started on the path to better security and help you manage the ever-evolving complexities within it. As partners in our customer’s supply chains, we ensure that we are doing our part to not only help them enforce their cybersecurity needs, but penetration test our product and company. It’s also why we completed our SOC for Supply Chain examination.

To make sure you’re meeting your Zero Trust needs and going beyond them, you can talk to us here about your cybersecurity requirements and how ConsoleWorks can help you achieve your IT and OT security requirements.

Passwords are an important part of your security and also one of the easiest ways that hackers gain entry into your network. User credentials are constantly under attack. That’s why we’re talking about common password security mistakes and what you should do to avoid them.

We’ve discussed password security best practices before. We also talked about having regular cyber security training in your company. But even with these in mind, it’s important to highlight the common password security mistakes that you might be committing.

What are the risks of password mistakes?

The risks from committing these password mistakes are great. A compromised account, especially one without least-privileged access, can result in your most important information or devices being stolen or attacked. With the rise of ransomware attacks as well, we’ve highlighted in the past how compromised credentials can result in millions of dollars lost for companies whose credentials are compromised.

If you are committing the password security mistakes below, your risks increase more. Some of the mistakes below, though common, open you up to easily being compromised, from lack of barriers or because of reused or shared passwords.

Common Password Security Mistakes

Changing Passwords Too Often

Many companies have the routine of changing their passwords at regular intervals, even when there is no evidence that a password has been compromised. This presents various challenges for the user having to change the password. They need to remember something new, because it can’t be an old password, and it needs to be sufficiently complex.

This means many people have difficulties remembering their new password. Employees can end up forgetting, locking their selves out, or compensate by writing their passwords down to remember them, which compromises security of the password. All of these are bad outcomes.

A better solution is to have a password vault that will manage these complex passwords for you and remove the challenges and shortcuts people will take to login with their credentials as easily as possible.

Not Using Passphrases

Requiring a password to be more than 15 characters long and have a mixture of letters, numbers or characters is a big task for someone to remember. This is why passphrases should be used to remember such lengthy requirements. Instead of a mixture of random letters, numbers and characters, using a phrase, while substituting letters in the phrase with numbers, is far easier to remember and makes for a strong password.

Avoiding using passwords based on your personal information, like birthday, phone number, address or other personal information that is easy to discover should be avoided. These are too easy to crack, along with simple words that a dictionary-style attack could quickly discover.

Sharing Passwords

Sharing of passwords is common. It’s also a big password security mistake. When everyone has the same credentials, your endpoints are not secure. It also amplifies issues of password management. If a person is terminated, you can not simply deactivate an account associated with that individual. Your problems instead become amplified and, in many cases, you may not even know what endpoints that individual even knew the passwords to when sharing is so rampant.

Not Using Multi-Factor Authentication

Passwords are too important to not protect with additional layers of authentication. If you aren’t implementing least-privileged access, you should at least be putting MFA to authenticate users. Make sure you aren’t committing this mistake by not protecting your passwords with additional methods of authentication.

Reusing Passwords

There are a few reasons users commit this password security mistake. It’s hard to remember complex passwords, especially when you are in an organization that makes you change your passwords frequently (one of our other password security mistakes). To combat this issue, users may reuse their password across devices and accounts. Of course, this means that once one of them is compromised, the rest of them are compromised.

This highlights the importance again of using passphrases, so your passwords remain complex, but also easy to remember for yourself. It’s also another reason password vaulting is a great option to pursue as you look to increase your password management maturity.

Reduce Your Password Security Mistakes, Increase Your Cybersecurity

If you’re looking for quick security wins, examining how your business treats its passwords is a good place to start. Many of the mistakes we listed above are both common and easy to fix. If you’re looking to truly overhaul your password security and reach architectures likes Zero Trust, we have more resources for you.

Our Password Management Maturity Model and our Password Management Best Practices will help you see what you should be doing and also where you currently are on your journey to achieving a Zero Trust-worthy implementation in this area of your cybersecurity.

If you have any questions or want to know how we can help you, you can contact us here.

As you look to implement a Zero Trust architecture, it’s critical to move away from the inherent trust permitted in the traditional Castle and Moat architecture. Our network security maturity model will help clarify the different levels of implementations on your path to achieving more sophisticated network defense.

While working on your implementation, we also recommend reviewing our Network Segmentation Best Practices. This acts as a companion piece to the network segmentation maturity model. It will help you keep in mind important practices for your implementation and the benefits you receive from a mature implementation.

What is a Network Security Maturity Model

Our Network Security Maturity Model reviews three levels, from beginner to advanced, of implementations. We also review at what level you can attain a Zero Trust-worthy implementation of network security and why.

Each level builds on the previous, adding in new elements to your architecture and enhancing your security. We’ll especially be focusing on how a network is constructed or segmented, to hinder ease of movement for an attacker and to protect your most critical information or endpoints.

There are various network segmentation models and we have discussed the 62443 model previously, which you can also reference for approaches to your network segmentation as you move forward in this process.

Network Segmentation Maturity Model Stages

Network Security Level: Beginner

At the beginner level of network security, you have very few defenses or segmentation. At the edge of your network, you are allowing inbound and outbound traffic without examination or controls in place. This leaves you especially vulnerable, as you do not know where the traffic is coming from, do not know what it is doing or where it is going, and it can move laterally through your network both quickly and easily. This is due to a lack of segmentation or having security zones a user needs to pass through within the network. There is an inherent trust permitted at this level to your traffic.

Network Security Level: Intermediate

At the intermediate level you aren’t blindly permitting access into your network. You now have firewalls at the edge and restrict inbound and outbound traffic to your devices. While you might be restricting this access, your network still looks relatively flat.

This still means you are vulnerable to a bad actor who gains access. Much of the network’s assumptions about access at this point still revolve around trusting a user who has access. This also means once a user does gain entry, they are able to freely move around the network without challenge.

The other point that marks both a beginner and intermediate level of network security from an advanced level, is that these lower levels are very reactive in their defense. While an intermediate level might have more protocols in place to respond to a threat, they are not actively monitoring for them, nor do they have a network architecture that enables them to easily see what is happening inside of it. It also lacks a way to contain a threat to just one area within that network.

Network Security Level: Advanced

At an advanced level of network security, you are following strict access policies and functionally breaking up your network into segments. It now has various security levels, with the most important assets kept down at the lowest levels, with the fewest connections able to reach that point.

A solution like ConsoleWorks is also used to permit least-privileged access to these endpoints as well, layering in complexity to how the network is secured, and removing the elements of inherent trust from the network.

You’ve built your network security around the consideration of your deepest security levels, where your most important devices are kept first. This bottom-up approach helps you with securing user access at the other security zones.

This way you also begin to address challenges, like in OT, where aging assets that were never built with the intention of it being connected to a network, can still remain protected when they are introduced to that network and forced to interact with today’s environment.

Here now you are also proactive about detecting attacks. By having a well-defined architecture that doesn’t permit trust, you are constantly monitoring users and activity on your network. You are also more easily able to contain a breach to one area of your network rather than it spilling further, due to your various security zones and micronetworks.

The Road to Cybersecurity Maturity

It is important to remember that a fully mature cybersecurity architecture involves many pieces.  We recommend our Password Management, Secure Remote Access, Baseline Configuration Monitoring and Zero Trust maturity models to further explore reaching cybersecurity maturity. These posts elucidate the features and design needs to attain higher maturity levels across other areas of your cybersecurity.

Should you need any help or have questions about attaining higher levels of maturity, or want to go beyond Zero Trust security in your environment, you can always reach out and talk to us here.

The new CIP-005-7 version has added a new requirement (R3), are you aware of this change? This new standard is coming into effect on October 1 and the controls to achieve the requirement must be in place prior to the effective date. Has your organization found a solution to meet the new requirements?

For those entities that have already had to implement, at some level, the Interactive Remote Access (IRA) requirements applicable to High Impact BCS and their associated PCA and Medium Impact BCS with external routable connectivity, this should not be a foreign concept.

The purpose of this new requirement is to ensure that your Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) are not vulnerable to some of the threats introduced by having vendors and suppliers manage and/or support your assets remotely.

 What language are you speaking?

Before we dive into describing the controls needed and the opportunities available to solve for meeting these compliance requirements, let’s take a step back and come to terms with some TERMS.

There are many acronyms used within the industry and I don’t want to bore you with hours of acronym definitions. For a better breadth of understanding I highly recommend becoming familiar with the governing bodies formal descriptions found in the  “NERC Glossary of Terms”.

For the purpose of this discussion, I am providing some important terms relative to this specific requirement:

• Bulk Electric System Cyber System (BCS)
  • One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity
• Protected Cyber Asset (PCA)
  • One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP
• Electronic Access Control or Monitoring System (EACMS)
  • Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems
• Physical Access Control System (PACS)
  • Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.
• External Routable Connectivity (ERC)
  • The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection
• Intermediate Remote Access (IRA)
  • User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications
• Intermediate System (IS)
  • A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter

Now that you have a little background information on the terms we will be referencing, let’s move on to what the requirements are and why they are important for the protection of your BCS.

NERC CIP-005-7 R3- Vendor Remote Access Management for EACMS and PACS:

• (R3.1) Have one or more method(s) to determine authenticated vendorinitiated remote connections.
• (R3.2) Have one or more method(s) to terminate authenticated vendorinitiated remote connections and control the ability to reconnect.

Remote access is a common term initially associated with someone accessing your environment from the internet or outside your organization.  However, remote access is any type of connection or session that allows you to connect to a device from your desktop/laptop without physically connecting to the device. This includes all of your privileged employees’ access to systems they manage.

NERC CIP defines these connections as an “Interactive Remote Access” which typically is performed by a user-initiated activity. There is also a second type known as a “system-to-system” connection. This is just as it sounds; service accounts, script/batch accounts, computer processes. See the forementioned glossary of terms for a better understanding.

Both of these remote access types present a significant amount of risk to the BCS, EACM, and PACS environments.  The risk manifests itself through the different levels of risk mitigation controls through the different functional network’s criticality ratings.

Your BCA’s and PCA’s probably have more cyber security controls deployed around them, known as defense-in-depth architecture, to preserve the operational reliability of that network than the network that is hosting your laptop or desktops.  When a remote connection is established, the less secured remote device now introduces foreign threats to the environment.

Remote access by a vendor further elevates this risk because you are not in control or knowledgeable of how well their security posture is. Just by allowing a remote connection from a vendor your organization has assumed/accepted a certain level of risk.

Some Things to Consider

• How well do you trust the vendor’s cyber security posture at their facility?
• Are you comfortable that the tools they use have been secured appropriately to the level of criticality of your environment?
• Do you trust the actions they are performing within the environment? Can you validate that work?
• How do you know their login ID has not been compromised?

So How Do I keep my critical environment safe as I meet my compliance objectives?

ZERO TRUST: Deny-by-Default

In simple terms: Don’t trust anyone or anything!!! Know what is on the network, authorize only those personnel and assets to perform the business functions needed and deny, remove, or block all other activity.

For those items you have authorized, audit and log all activity to include changes to the environment.  You can read additional coverage on supply chain risk in our blog here.

Control Each Connection

Broker the connected session by establishing a protocol break between the BCS/EACM/PACS and the remote vendor’s Cyber Asset. This allows for the ability to authorize the data flow, monitor the session creation and terminate any connected session on demand.

It also provides the ability to define a baseline policy around connection behavior such that the authorization and access can be alert and ready to remove, if desired, the vendor’s ability to re-establish the connection.

Ensure You Are Auditing and Logging

And as always you must have the ability to capture system events, session events, and user activity events to be correlated.  This provides for the monitoring, alerting, and auditing for potential malicious activity and incident identification.

Isolate Your Supply Chain

One way to make sure you are doing this is by not giving full access to your supply chain. Instead, those vendors who need access to certain information are segmented into their own space, in addition to layering other security measures like privileged access management on top of it. In the event of a breach on their end, you have reduced your risk.

Taking Your Next Steps

The threat of internal and external remote access to OT and IT environments are the core of our focus. Our solution, ConsoleWorks, delivers on this focus.  It provides risk mitigating controls that meet and exceed the NERC CIP compliance requirement(s).

See our three part series on the Zero Trust security architecture to see how ConsoleWorks complements your NERC CIP and Enterprise strategies.

If you would like more details on how ConsoleWorks can help you meet compliance while increasing efficiency and security, we are always available to talk about your particular needs here.