Following the recent news regarding British shipping company, Clarksons, revealing that a data breach it suffered last year stemmed from a hack on a “single and isolated user account”, Joseph Carson, Chief Security Scientist at Thycotic offers the following comment.
Joseph Carson, Chief Security Scientist at Thycotic:
“Many organisations have failed to implement privileged access security and in failing to do so, they typically allow single user accounts to access sensitive information directly with only a single password protecting the sensitive data. Many cybercriminals use techniques that first target user accounts through phishing and social engineering, then move laterally to find those privileged accounts that provide them with full access to the network and sensitive data. However, in this particular instance it appears they hit the jackpot account with their first try – or they have a good passive assessment, so they knew which user account to target. Privilege Access Management is something that many organisations have prioritised in 2018 however, these serious data breaches show that rather than just prioritising it as a project, they must act immediately and implement ASAP.
In this particular incident, what is honestly shocking is the amount of sensitive data that this single account had access to and I am sure the EU GDPR will be looking closely. If it is found that EU GDPR applies and Clarkson PLC had failed to apply adequate security, they could be facing a huge financial penalty.
The lessons to be learned from this incident is the importance in protecting accounts with privileged access to sensitive data and that those accounts should never use a password as the only security control. Similarly, a single account should never have full access to such a large amount of data – at least without peer reviews and approval processes. For example, Thycotic released a report in 2017 describing the Anatomy of a Privileged Account Hack and this is almost a clear indication that a single account can lead to a cyber catastrophe.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.