Friday, August 15, 2025

Privileged Access Management

Privileged Access Management 

Privileged access management (PAM) is defined as the provisioning of tools that help organizations manage and secure accounts that have access to critical data and operations. Any compromise in these ‘privileged’ accounts can lead to financial losses and reputational damage for the organization.

Every organization’s infrastructure is built with multiple levels of deployments, data stores, applications, and third-party services. Some of these components are critical for operations, while some may be as mundane as email.

But each of these is accessed by user accounts, which are of two types:

Human users: They are typically employee accounts, encompassing all departments, including HR, DevOps, and network administrators. 

Automated non-human users: These are third-party applications and services that require an account to integrate with the organization’s systems.

‘Privilege’ is defined as the authority that an account has to modify any part of the company’s technology architecture, starting from individual devices to the office network. This privilege allows the bypassing of security restraints that are normally applied across all accounts.

A standard account is a norm among employees, with the least privileges attached to it. These accounts are used to access and operate limited resources such as internet browsing, emails, and office suites. A privileged account possesses more capabilities than a standard account. This elevated access is gained using privileged credentials.

Despite the numerous headline-making incidents in recent years, cybercrime continues to rise with reported data breaches increasing by 75% over the past two years. For those that suffer a breach, the repercussions can be costly:

increased public scrutiny, costly fines, decreased customer loyalty and reduced revenues. It is no wonder that cybercrime has risen towards the top of the concern list for many organisations and the customers with whom they do business.

You’ve heard many of the stories. Equifax, Uber, Facebook, My Heritage, Under Armor, and Marriott. Personal data from millions of their customers was stolen. Even though the number of breaches went down in the first half of 2018, the number of records stolen increased by 133 percent to almost 4,5 billion records

worldwide. Unfortunately things are only likely to get worse. According to a 2018 study from Juniper Research, an estimated 33 billion records will be stolen in 2023 – this represents a 275 percent increase from the 12 billion records

that are estimated to have been stolen in 2018.

Are you ready for more bad news? Thanks to the demands of the application economy, the threat landscape has expanded and protecting against these threats has only gotten more challenging.

Victims of the future

Digital transformation is a necessity for organisations to not only survive, but thrive in the application economy. But these transformations are creating an expanding set of new attack surfaces that must be defended, in addition to the

existing infrastructure that you’ve been protecting for years. These new points of vulnerability include:

DevOps adoption: In more sophisticated IT shops, continuous delivery/ continuous testing practices have introduced automated processes that see no human intervention at all. In many cases, these scripts or tools are often using hard-coded administrative credentials that are ripe for theft and misuse.

Hybrid environments: As your IT environment has evolved to include

software-defined data centres and networks, and expanded outside of your four walls to incorporate public cloud resources and software-as-a-service (SaaS) applications, the traditional way of approaching administration and management quickly falls apart – mainly because it fails to protect new attack surfaces like management consoles and APIs.

Internet of Things: Smart devices are proliferating in our lives, from phones to watches, from refrigerators and cars to medical implants and industrial machinery. And because these devices have connectivity, not only can they be hacked, but they are already being compromised where security is inadequate or non-existent.

Third-party access: Outsourcing development or IT operations has become the

norm. In addition, many companies are sharing information with partners. However, many of these third-party employees are being granted ‘concentrated power’ via administrative access. Who is watching how they are using or potentially misusing that access?

Take hold of the flame

Stealing and exploiting privileged accounts is a critical success factor for types of attacks. This is not surprising when one considers that privileged identities have access to the most sensitive resources and data in your environment; they literally hold the keys to the kingdom.

Thankfully, there is a positive angle you can take on this fact. If privileged accounts are the common thread amongst the innumerable attack types and vulnerability points, then these accounts – and the credentials associated with them – are exactly where you should focus your protection efforts.

For many, focusing on ‘privileged users’ is difficult because its population can be so diverse. Privileged accounts and access are not just granted to employees with direct, hands-on responsibility for system administration, but also to contractors and business partners. You may even have privileged unknowns who are securing ‘shadow IT’ resources without your knowledge. And finally, in many cases, privileged accounts aren’t even people – they may be applications or configuration files empowered by hard-coded administrative credentials.

This begs the question, if you can’t even get a clear tally of who represents your privileged user population, how can you hope to protect these accounts?

By securing those accounts at each stop along the breach kill chain.

Breaking the chains

What is a kill chain? It’s the series of steps an attacker typically follows when carrying out a breach. While the chain can comprise numerous steps, there are four key ones in which privileged credentials represent the cornerstone of an attack. These include:

1. Gain access and expand: To access the network, insiders might exploit the credentials they already have, while outsiders will exploit a vulnerability in the system to steal the necessary credentials.

2. Elevate privileges: Once inside, attackers will often try to elevate their privileges, so they can issue commands and gain access to whatever resources they’re after.

3. Investigate and move laterally: Attackers rarely land in the exact spot where the data they’re seeking is located, so they’ll investigate and move around in the network to get closer to their ultimate goal.

4. Wreak havoc: Once they have the credentials they need and have found exactly what they’re looking for, the attackers are free to wreak havoc (e.g. theft, business disruption, etc.).

If you can prevent an unauthorised user – insider or outsider – from gaining access to the system in the first place, you can stop an attack before it even starts.

To prevent unauthorised access, you must:

• Store all privileged credentials in an encrypted vault and rotate these credentials on a periodic basis.

• Authenticate all users, applications, and services before granting access to any

privileged credential.

• Employ automatic login and single sign-on so users never know the privileged credential.

Limiting privilege escalation

In many networks, it’s common for users to have access to more resources than they actually need – which means attackers can cause maximum damage quickly and even benign users can cause problems inadvertently. This is why granular access controls are so important.

To limit privilege escalation, you must:

• Adopt a ‘zero trust’ policy that only grants access to the systems people need for work.

• Implement filters and white/black lists to enable fine-grained access controls.

• Proactively shut down attempts to move laterally between unauthorised systems.

Monitoring privileged activity

Whether it’s a trusted insider who wandered into the wrong area or an attacker with malicious intent, there’s a very good chance that at some point users will gain access they shouldn’t have.

The challenge, then, is to improve visibility and forensics around user activity within sensitive systems. To deter violations at this late stage of the kill chain, you must:

• Ensure that all privileged access and activity is attributed to a specific user.

• Monitor all privileged activity to proactively detect unusual behaviour and trigger automatic mitigations.

• Record all user sessions so that all privileged activities can be played back in DVR-like fashion.

• Review and certify privileged access on a periodic basis to ensure that it is still required.


Friday, August 1, 2025

Biometric security key for phishing-resistant MFA

Biometric security key for phishing-resistant MFA 

Biometric security keys, like those compliant with FIDO2, offer phishing-resistant multi-factor authentication (MFA) by using fingerprint or facial recognition alongside a secure element on the key. This method combines the strength of hardware-based security keys with the convenience of biometrics, making it difficult for attackers to gain unauthorized access even if they obtain a user's password. 

How it works:

·        FIDO2 Compliance:

These keys adhere to the FIDO2 standard, which is a set of protocols designed for strong, phishing-resistant authentication. 

·        Biometric Authentication:

The key incorporates a fingerprint sensor or other biometric scanner. 

·        Secure Element:

The key contains a secure element to store cryptographic keys and biometric data, preventing compromise. 

·        Phishing Resistance:

Even if a user is tricked into entering their password on a fake website, the attacker would still need the physical security key and the corresponding biometric information to authenticate. 

Token has announced the launch of Token BioKey, a new line of FIDO-compliant security keys that provide enterprises with phishing-resistant, passwordless multifactor authentication (MFA). Built with on-device fingerprint sensors and secure elements, Token BioKey delivers biometric authentication in a compact, field-upgradable form factor and complements Token’s wearable biometric smart ring.

The Token BioKey series includes two models:

• Token BioKey: USB-only connectivity.

• Token BioKey Plus: USB + Bluetooth + NFC + USB-rechargable.

Both models feature a capacitive fingerprint sensor for on-device biometric verification and an EAL5+ certified secure element for safe storage and use of FIDO credentials. The Plus model features a battery that powers radio functions when the device is not connected to the user's device.

“Token BioKey is designed to meet the evolving security needs of modern enterprises,” said Rob Osterwise, VP R&D, CTO of Token. “By combining biometric authentication with flexible connectivity options and centralised management, we are providing organisations with a scalable solution to combat phishing and other cyberthreats.”

Key features

• Phishing-resistant MFA: Mitigates risks associated with phishing, man-in-the-middle attacks, and other vulnerabilities of legacy MFA solutions.

• Biometric security: Ensures that only the registered user can use the key, even if it is lost or stolen.

• Field upgradable: Allows for firmware updates to address emerging threats and maintain cutting-edge security.

• Centralised management: The Token Authenticator Console enables administrators to manage hardware assignments, customise security settings, and handle provisioning and deprovisioning across the organisation.

• Seamless integration: Compatible with major IAM and SSO solutions, including Microsoft, Cisco Duo, Okta, Google, and Ping.

Benefits of Biometric Security Keys for MFA:

·        Enhanced Security:

Biometrics add an extra layer of security, making it much harder for attackers to impersonate a user. 

·        Phishing Resistance:

Hardware security keys are inherently resistant to phishing attacks because they are not vulnerable to the same threats as passwords or one-time codes sent via SMS or email. 

·        Convenience:

Biometric authentication can be more convenient than entering long passwords or waiting for SMS codes. 

·        Passwordless Authentication:

In some cases, biometric security keys can enable passwordless logins, further simplifying the authentication process. 

·        Compliance:

Organizations are increasingly adopting phishing-resistant MFA solutions to meet security standards and regulations.