3
November 2020

NCSC Annual Report: The need for Privileged Access Management (PAM)

Mark Warren

The State of Cybersecurity in the UK 2020

The National Cyber Security Centre (NCSC) published their annual report today and it makes for interesting reading.

The NCSC made progress in many areas this year, especially in the current environment where they suddenly had to put a focus on the new challenges including the massive move to working from home. And some work from home situations need some very special support such as when the UK government switched to remote working. They're also making great progress in raising cybersecurity awareness and development programs such as those with schools and organisations like the girl guides to encourage diversity and an interest in cybersecurity careers.

Key Topics

The report contains a lot interesting content, but two topics really stood out for me. Firstly, they're seeing a change in ransomware behaviour. Typical attacks have been to prevent access to your own data unless you pay some kind of ransom. But they're now seeing a shift to threatening to publish the compromised data. Perhaps people have been getting prepared with good backup strategies to make recovery from an attack achievable driving attackers to adopt this this new mode of attack.

That brings a new level of concern to bear: what data do you have that shouldn't be made public? It includes obvious stuff like personal data (e.g. salaries, contact information, health etc.) that we've become used to worrying about for GDPR. But there are many other kinds of data that need to be protected in such a threat scenario. For example, Intellectual Property (IP). That could range from designs for a new device through to software source code or even Covid-19 vaccine formula.

To my mind there are (at least) two levels of protection needed, and this hasn't really changed:

1. Protect your data. It's obvious, really, that this includes a good backup strategy. Perhaps not so obvious is that strategy needs to include the privileged access needed to change backup settings or access backups for recovery.

2. Protect your systems. Ensuring that only the right people, have the right level of access, to the right systems and data, for just the right period of time. That's true for normal accounts, but especially true for any accounts that have some level of privileged access. Any plan has to include how to remove local administrator rights from end users (without impacting their work) as that can prevent the ransomware being installed in the first place, through to monitoring all privileged access to shared IT systems.

The common thread in both scenarios is the management of privileged access. This has been an important topic highlighted previously in standards such as Cyber Essentials and the NHS' Digital Security and Protection  (DSP) Toolkit. As the leading UK experts in privileged access security (PAS), Osirium have always been more than happy to see any focus put on this most fundamental security requirement.

The need for Privileged Access Management

So, it's good to see Privileged Access Management (PAM) highlighted as a standalone topic in the NCSC report. As they say, "Gaining access [to privileged credentials] will reward the attacker with a high level of system privileges in the targeted environment." The NCSC has even gone so far as to start developing their own PAM system. In general, anything that encourages more use of PAM is a good thing, but this may not be the best approach. Details are thin on the ground, but they seem to be building a "web-based application" which may be appropriate in selected scenarios, but the vast majority of the customers we deal with still want to keep their privileged account management on-premise where they have ultimate control.

It's also worrying that discussing a potential future tool may delay organisations moving fast in deploying PAM solutions which should be a critical priority. Encouraging early adoption of PAM, from whatever vendor, should be a priority. If they are concerned about the potential cost of a PAM solution, then it shouldn't be when full-featured professional PAM is available free of charge for smaller teams and organisations.

Actually, there was one other standout piece of the report (at least for me): NCSC supports the UK defense agencies with production of encryption keys via "Crypt-Key" which, until now, has seen keys being distributed on punched-hole paper tape! It takes me back to one of my first jobs booting HP midicomputers from paper tape back in the dark ages ... :-)