Tackling the New Cyber Insurance Requirements: Can Your Organization Comply?

Feb 07, 2023The Hacker NewsIdentity Protection / Cyber Insurance

With cyberattacks around the world escalating rapidly, insurance
companies are ramping up the requirements to qualify for a cyber
insurance policy. Ransomware attacks were up 80% last
year^[1], prompting underwriters
to put in place a number of new provisions designed to prevent
ransomware and stem the record number of claims. Among these are a
mandate to enforce multi-factor authentication (MFA) across all
admin access in a network environment as well as protect all
privileged accounts, specifically machine-to-machine connections
known as service accounts.

But identifying MFA and privileged account protection gaps
within an environment can be extremely challenging for
organizations, as there is no utility among the most commonly used
security and identity products that can actually provide this
visibility.

In this article, we’ll explore these identity protection
challenges and suggest steps organizations can take to overcome
them, including signing up for a free identity risk
assessment^[2].

How Can You Protect Privileged Users If You Don’t Know
Who They Are?

Underwriters are now requiring MFA on all cloud-based email,
remote network access, as well as on all administrative access for
network infrastructure, workstations and servers, directory
services, and IT infrastructure. The last requirement here is the
biggest challenge – so let’s examine why.

The problem is that defining administrative access is easier
said than done. How do you compile an accurate list of every admin
user? While some can be easily identified – for example, IT and
helpdesk staff – what about so-called shadow admins? These include
former employees that may have left without deleting their admin
accounts, which then continue to exist in the environment along
with their privileged access. As well, there are also users with
admin access privileges who may not have been officially assigned
as admins, or in some cases temporary admins whose accounts weren’t
deleted after the reason for their creation was complete.

The bottom line is that in order to secure all user accounts
with MFA, you first need to be able to find them. And if you can’t
do that, you’re at a loss before you’ve even started considering
what the best protection strategy is.

The Case of Service Accounts: An Even Bigger Visibility
Challenge

Cyber insurance policies also require organizations to maintain
a list of all their service accounts. These are accounts that
perform various tasks in an environment from scanning machines and
installing software updates to automating repetitive admin tasks.
To qualify for a policy, organizations need to be able to document
all service account activities, including source and destination
machines, privilege level, and the applications or processes that
they support.

Service accounts have become a major focus for underwriters
because these accounts are often targeted by threat actors, due to
their highly privileged access. Attackers know service accounts are
often unmonitored, therefore using them for lateral movement will
go undetected. Attackers seek to compromise service accounts using
stolen credentials then use those accounts to get access to as many
valuable resources as possible in order to exfiltrate data and
spread their ransomware payload.

The challenge of inventorying all service accounts, though, is
an even greater one than doing so for human admins. The reasons is
because there is no diagnostic tool that can detect all service
account activity in an environment, meaning that getting an
accurate count of how many exist is challenging at best.

As well, unless meticulous records have been kept by admins,
determining every account’s specific pattern of behavior – such as
their source-to-destination machines as well as their activities –
is extremely difficult. This is because of the many different tasks
that service account perform. Some accounts are created by admins
to run maintenance scripts on remote machines. Others are created
as part of software installation to perform updates, scans, and
conduct health checks related to that software. The upshot is the
getting full visibility here is close to impossible.

The Right Assessment Can Identify Gaps in Identity
Protection

To qualify for a cyber insurance policy, organizations need to
close their gaps in identity protection. But first those gaps have
to be identified, because you can’t address what you’re not aware
of.

With the help of a thorough assessment, companies will finally
be able to see all their users and their level of privilege,
identify any areas lacking MFA coverage, and also get a picture of
other identity protection weaknesses, such as old passwords still
in use, orphaned user accounts, or any shadow admins that are in
the environment.

By focusing on authentications, the right assessment will reveal
exactly how users are gaining access and identify any attack
surfaces not currently being protected. These include all
command-line interfaces and service account authentications, which
will allow organizations to meet the new cyber insurance
requirements with ease.

A rigorous assessment can also uncover additional areas not
currently required by insurers but still vulnerable to attack, such
as file shares and legacy apps. Coupled with actionable
recommendations, organizations will soon find their security
posture dramatically improved.

Do you know where your gaps are? Sign up today for a free identity protection
assessment^[3] from Silverfort to get
complete visibility into your environment and uncover any
deficiencies that need to be addressed so your organization can
qualify for a cyber insurance policy.