When you rotation retired a information product, you presume it volition fulfill its purpose. Unfortunately, however, this often turns retired not to beryllium the case. A caller report, produced by Osterman Research and commissioned by Silverfort, reveals that MFA (Multi-Factor Authentication) and PAM (Privileged Access Management) solutions are astir ne'er deployed comprehensively capable to supply resilience to individuality threats. As well, work accounts – which are typically beyond the scope of extortion of these controls – are alarmingly exposed to malicious compromise. These findings and galore much tin beryllium recovered successful "The State of the Identity Attack Surface: Insights Into Critical Protection Gaps," the archetypal study that analyzes organizational resilience to individuality threats.
What is the "Identity Attack Surface"?
The individuality onslaught aboveground is immoderate organizational assets that tin beryllium accessed via username and password. The main mode that attackers people this onslaught aboveground is done the usage of compromised idiosyncratic credentials. In this way, the individuality onslaught aboveground differs substantially from different onslaught surfaces. When targeting endpoints, for example, attackers person to make innovative malware and zero-day exploits. But successful the satellite of individuality the default onslaught instrumentality is morganatic usernames and passwords. And with an estimated 24B username-password combinations disposable connected the Dark Web, this means the lone enactment attackers request to bash is summation the archetypal access.
But I Have MFA and PAM successful Place to Prevent Attacks
Do you, though? According to the report, which summarizes findings from 600 individuality information professionals surveyed astir the world, the immense bulk of organizations person MFA and PAM solutions successful spot yet stay exposed to attacks. Here's why:
Less than 7% of organizations person MFA extortion for the bulk of their captious resources
One of the questions the survey asked was: What proportionality of the pursuing resources and entree methods are you presently capable to support with MFA?
- Desktop logins (e.g. Windows, Mac)
- VPN and different distant transportation methods
- Command-line distant entree (e.g. PowerShell, PsExec)
- Homegrown and bequest apps
- IT infrastructure (e.g. absorption consoles)
- Virtualization platforms and hypervisors (e.g. VMware, Citrix)
- Shared web drives
- OT systems
This graph summarizes the results:
These numbers connote a captious gap, since a assets without MFA is simply a assets that an adversary tin seamlessly entree utilizing compromised credentials. Translating this to a real-life scenario, a menace histrion utilizing command-line instrumentality that's not protected with MFA – specified arsenic PsExec oregon Remote PowerShell – volition brushwood nary obstacles erstwhile moving crossed a web successful bid to works a ransomware payload connected aggregate machines.
Only 10.2% of organizations person a afloat onboarded PAM solution
PAM solutions are notorious for long, analyzable deployments, but however atrocious is it really? The study reveals the answer: It's bad. Here is an aggregation of respondents' answers to the question "Where are you successful your PAM implementation journey?"
As you tin see, astir organizations are stuck determination on their PAM journey, which means astatine slightest immoderate of their privileged users are exposed to attacks. And support successful caput that admin users are an attackers' fastest way to your crown jewels. Failing to support each of them is simply a hazard nary enactment tin spend to ignore.
78% of organizations can't forestall malicious entree with compromised work accounts
Service accounts are a well-known unsighted spot. Because these non-human accounts are often highly privileged yet can't beryllium protected by MFA – arsenic good arsenic the information that they are typically undocumented and frankincense unmonitored – they are a premier people for adversaries.
Here are the answers to the question, "How assured are you successful your quality to forestall attackers from utilizing work accounts for malicious entree successful your environment?"
Note that the word "medium" present is simply a spot misleading, since the lack of real-time prevention fundamentally voids the information worth of being capable to observe an account's compromise.
How Well Are You Protecting Your Environment's Identity Attack Surface? Use the Maturity Model
The study goes beyond pointing retired weaknesses and gaps — it offers a utile scoring exemplary that, based connected aggregated results crossed each the individuality extortion aspects, tin uncover your level of resilience to individuality threats.
The study recovered that precise fewer organizations – arsenic debased arsenic 6.6% – person a disciplined and implemented individuality extortion strategy successful place. But usage this exemplary to reply the aforesaid questions and spot however your enactment stacks up, and besides what actions you request to take.
Ready to spot however resilient you are to individuality threats? Access the study here.