# Opener

PAM is a Process, Not Just a Tool

Published by Richard Caralli

In an official statement, Uber confirmed that it responded to a cybersecurity incident, the result of which is still under investigation. Based on reports from cybersecurity media, the attacker appeared to obtain a third-party contractor’s access credentials on the dark web and attempted to use them to gain access to Uber’s network and systems. On each successive attempt, the contractor was presented with a multi-factor approval request, which was ultimately accepted. The contractor’s credentials reportedly gave the hacker elevated privileges, which in some reports, included access to a network share of PowerShell scripts that contained administrative credentials with access to AWS and other key technology platforms.

The authentication breach alone is a cautionary tale that exposes the permeability of multi-factor authentication as a security control. Any compromised access credential spells trouble for an organization, typically resulting in the exfiltration of valuable data. But, obtaining a credential with elevated privileges—and in this case, a credential that provided access to additional privileged credentials—is the ultimate hacker’s prize. Privileged accounts are a necessary evil. They provide select users the capabilities to perform functions necessary to maintain the organization’s technology infrastructure. But, in the wrong hands, they are among the most destructive hacker tools. Guarding these credentials and ensuring their responsible and limited use is a key cybersecurity objective, one that is certainly diminished by hard-coding credentials in scripts or any other shared resource. In theory, these credentials could allow a hacker access to the ultimate pot-of-gold: a privileged access management (PAM) tool, which could expose all of the organization’s critical secrets.

Failing to control access to and use of privileged credentials is a deficiency that undermines the cybersecurity posture of many organizations. In 2021, Axio published the 2021 State of Ransomware Preparedness Report that highlighted research into core cybersecurity deficiencies that contribute to organizational exposure to ransomware attacks. At the top of the list:  a pervasive lack of “controls, practices, and supporting technologies to facilitate the administrative needs of privileged users in balance with reasonable limitations on excessive, inappropriate, and ultimately, insecure use.” In the study, not only did nearly 80% of organizations fail to implement a viable privileged access management tool, but failures to establish key processes that restrict, log, and audit the use of privileged credentials were found to be pervasive. While a privileged access management tool forms the foundation for best practice, managing privileged credentials in the margin—where they are embedded in operational procedures or are accepted for use as a de facto “way we get things done” –is equally important and can have dangerous consequences if done haphazardly.

In the Uber case, the failure to protect privileged credentials is a key lesson learned. It negates the benefits of, and investments in, privileged access management technologies and demonstrates a failure to fully appreciate the delicate balance between administrative needs and cybersecurity requirements. The Uber hack reveals that the 20% of organizations in our research that make the leap into a PAM solution cannot declare victory without a commensurate privileged access management process. This includes implementing solid policies and procedures for managing privileged credentials (including acceptable use cases), performing regular privileged access reviews, persistent logging and monitoring of credential use, improving the education of administrative users, and performing frequent audits and penetration tests to find and remove privileged credentials where they often live…in the margins.


Richard Caralli | Cybersecurity Advisor

Richard Caralli is a senior cybersecurity advisor with significant executive-level experience in developing and leading cybersecurity and information technology organizations in academia, government, and industry. Caralli has 17 years of leadership experience in internal audit, cybersecurity, and IT in the natural gas industry, retiring in 2020 as the Senior Director – Cybersecurity at EQT/Equitrans. Previously, Caralli was the Technical Director of the Risk and Resilience program at Carnegie Mellon’s Software Engineering Institute CERT Program, where he was the lead researcher and author of the CERT Resilience Management Model (CERT-RMM), providing a foundation for the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) and the emerging Cybersecurity Maturity Model Certification (CMMC).