Connor Swalm
Welcome to gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Fin Security, and welcome to gone phishing.
Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor, the CEO at Finn, and I am joined once again by Nick Wolf, the director of partner acquisitions at Evo Security. Nick, how are you doing?
Nick Wolf
Doing great. Thanks for having me on again.
Connor Swalm
Awesome. Thank you so much for joining us. Last time we talked a bunch about multi factor authentication, its benefits, why people don't want to use it, even though it seems like a really wise idea. So, folks, if you haven't seen that episode or listened to it, highly recommend you go listen to that one.
We just ended up recording that, so it should be ready to roll for you all. But Nick, I got a question. Three years ago, the only Pam that I had heard was that scene from stepbrothers where they had the Pamn debacle. But now privileged access management, the new acronym. So I found out, I hear all the time, like, what's been going on? Why is it so popular?
Nick Wolf
So privileged access management, that's sort of the name of the game for MSPs and their technicians. You're going to be hearing a lot about it going forward.
Absolutely.
Connor Swalm
So what does privileged access management look like?
Nick Wolf
Yeah, so we touched base on earlier. Multifactor authentication is verifying that a user is who they say they are. Privileged access management is taking it one step further.
Now that we know who you are, what are you allowed to do?
Is Mary from marketing allowed to have admin access and download database files, or is Mary from marketing just able to do the bare necessities? So it's really about making sure that your users could do what they need to do, but only what they need to do.
We don't want to give all users the full blown keys to the kingdom.
Connor Swalm
That makes a lot of sense. And what are some examples of when that would make sense, when having those privileged access roles makes sense or when they don't?
Nick Wolf
Yeah, absolutely. So in most cases, most SMBs actually do not have admin rights anymore, and that's mainly because a lot of compliance and insurance is really cracking down on that. You don't want everybody to have admin rights because the more admin rights, the more likely there is for compromise and attacks. So what we're seeing is that most SMBs don't have those admin rights, but instead the MSP and the technicians at the MSP have those admin rights.
But the issue with that is if you're an MSP and you have five technicians, how do you go around sending those admin rights to each other?
What a lot of MSPs are doing today is they're still copying and pasting admin credentials out of it, documentation tools or password managers or things of that nature. What privileged access management does is it makes that process a lot more secure.
I know that one of the ways that we do it is that instead of technicians logging in with that admin password, they actually log in as themselves.
So bob the tech logs in as Bob the tech. And when Bob the tech needs admin access to a client's machine to install a new piece of software on a server, instead of him having to look up and copy and paste that admin credential and getting exposed to it instead.
What he does is he'll select a button on the machine that will send a push notification to his phone that he's able to approve that yes, I am Bob the technician. I'm trying to access this client server as an admin.
Once he does that, he's now an admin on that client's machine. So at no point during the login process do the technicians ever get exposed to the admin credential, admin password, admin username, or anything like that.
So that's what most privileged access management softwares are doing, or at least should be doing for the managed service provider market.
Connor Swalm
Awesome. So that's PAM, but I've also heard of identity access management for my edification. What's the difference?
Nick Wolf
Yeah. So privileged access management is one component within identity and access management as an entire umbrella. Other components of identity and access management are typically multi factor authentication and single sign on, which I know we spoke about in one of our other episodes.
Connor Swalm
Okay, so it's like a branch of Pam is a branch of Iam.
Nick Wolf
Correct.
Connor Swalm
Awesome. And so the example you gave was like an MSP tech trying to get a new device up and running, maybe for a client of theirs. Is this also something that should be implemented at their clients, but not just at the MSP?
Nick Wolf
Yeah. So typically we also see privileged access management getting rolled out to co managed IT customers, especially those that have an internal IT department, because it's the same thing. You don't want those internal IT techs being exposed to admin credentials, because if they saw the admin credentials and that technician lead, whether it's an internal IT tech or an MSP technician, if they saw that credential and you let that employee go, then in theory they're walking out the doors with the keys to your kingdom. They know that sensitive information, that sensitive username and password, and they might be able to post it on the dark web or do something malicious with it.
So oftentimes what internal IT departments or MSPs do is they then go back and update and rotate all those passwords that that technician would have seen, which could be very time consuming the way that most privilege access management software solve this is, hey, let's make it so that technician can never see that admin credential to begin with.
Connor Swalm
That makes a lot of sense. Or the alternative would be to rotate all of them, which might be incredibly painful.
Nick Wolf
It could be very manual. Yes.
Connor Swalm
So other than the tools and the pieces of software and maybe even hardware folks would want access to, what are some other things that privileged access management should apply to that somebody would want access to?
Nick Wolf
Yeah. So right now, a lot of people are doing it on the endpoint level because that's where most compromises are occurring. I would say definitely take a look at your cybersecurity insurance policy for sure, because most cybersecurity insurance policies state you cannot share accounts.
And again, sharing accounts is sharing that admin know they don't want to be shared anymore.
We want to make sure that Mary for marketing is logging in only as Mary from marketing. Bob the technician is only logging in as Bob the technician.
Gone are the days where you should be sharing passwords, copying and pasting passwords.
Or doing anything like that.
Connor Swalm
I know that there are some people who are listening to this who just start sweating a little bit, but hey. Maybe they need to. So thanks for stating.
Nick Wolf
Yeah, the other day I had one MSP. They moved forward with our Pam solution, and they were only a two person shop.
It was a husband and wife. But per their cybersecurity insurance policy, they weren't allowed to share credentials, even though it was a husband and wife operation. And they didn't worry about a technician leaving with the keys to the kingdom. Because it was just them.
They implemented the Pam solution now to qualify for their cybersecurity insurance, as well as to help scale and grow their business because even though they're a two man shop MSP right now, eventually they're going to grow. They're going to start hiring that first level one technician, level two technician, et cetera.
That's going to need those credentials, but shouldn't be exposed to those credentials.
Connor Swalm
That makes a lot of sense that implementing this prevents.
Nobody wants to think about an employee being unruly or dissatisfied with the way you treat them and then stealing everything. But now it's, hey, cyber insurance is telling you have to. So would you like to still have a policy that will pay out in the event that something bad happens?
Nick Wolf
Yeah, it's all about creating kind of like a zero trust. Like, yeah, your employees are awesome, and they shouldn't be doing malicious, but let's make it so they can't do anything malicious even if they wanted to.
Yeah.
Connor Swalm
Let'S force everyone to act that way, or let's force the company to respond in that way in the event that anything could happen in the future. So, for those that don't implement any amount of privileged access management, what are some of the risks that they're undertaking that are now associated with them that they might be unaware of?
Nick Wolf
So, again, when you're sharing a credential, say, as an MSP technician, you're logging into a client's machine through your RM tool. Great.
And that admin credential is stored in, say, it, glue or an excel file and you're copying and pasting it into that machine. Two things just happened there.
That technician was exposed to that username and password, which is a no.
We talked about it.
But the second thing that's happening there is once you do control paste and you're pasting that credential, that's a keystroke. Which means if there's a malicious keylogger software that's installed on that machine, that means whoever's monitoring those keystrokes now has the username, now has the password, and that's the admin password. Right? So let's make it sure that the bad guys can never get those usernames and passwords, and the technicians never see.
Those username and passwords if they leave. That's why most privileged access management solutions, not only do they hide the credentials.
In many cases, the Pam solution should also be rotating those passwords on a daily or hourly basis.
Connor Swalm
That makes a lot of sense. So if someone is listening or watching, or however a keylogger decides to keep track of those keystrokes. It'll be caught up with your copy paste and admin credentials.
In our last episode, we kind of talked about how clients and MSPs and people in general don't implement MFA because they say it's not convenient for them to have to deal with push notifications or text messages. Are there any reasons, is there anything an MSP should be aware of that people are just going to push back.
And not want to implement this? And how should they deal with that?
Nick Wolf
Typically, for privileged access management, there's not much pushback because a lot of times it's the MSP that's going to be that admin for that SMB client site anyway. It's all about educating the MSP that.
Hey, your technicians are no longer going to be copying and pasting passwords out of your documentation tool or your password manager. Instead, they're logging in with this privileged access management software that's now installed on all these clients endpoints.
Connor Swalm
Got it.
So it's more of an education gap. Not a more of an education gap.
Yeah. Awesome. What does insurance, what does compliance think of Pam? Is it included?
Nick Wolf
Is it definitely becoming more and more frequent? I know that the CIS controls mentioned that you can't be sharing accounts if you want to follow good cyber hygiene there, and the same is going to happen in most cybersecurity insurance policies.
Hey, are you sharing admin credentials? How often are admin credentials rotated? Because you don't want admin and the password to be password for the firewall, your office 365 global admin, your server.
So set up very long and complicated passwords, make sure they're rotated, and make sure nobody can see them because they're using privileged access management instead.
Connor Swalm
That makes a lot of sense. Is there any recommended way that Pam should be implemented or set up or configured like in our MFA conversation that we did earlier, you had mentioned, hey.
An app or push notification that's geolocated would be way more secure. I'm just wondering if there's.
Nick Wolf
Yeah, I would say making sure that you're using a Pam tool that also has an MFA component to it.
So not know. Is the username and password shielded from your technician? But let's make sure that technician is really the technician.
So let's verify that technician with an MFA code getting pushed to their phone before we allow that technician to have admin rights into this client's machine.
Some other Pam tools, they just create a temporary account, then delete a temporary account. But that's prone for compromise if someone gain accesses to that tool.
So let's make sure that, again, that the users verify who they say they are and then give them those keys to the kingdom through the privileged access management software.
Connor Swalm
Okay, that is wise. Definitely. Security as a layered approach, make sure you're using all the layers you possibly can. Definitely. Good piece of advice.
What has adoption of Pam historically looked like in the MSP space?
Nick Wolf
I mean, I would say in the last two to three years, it's definitely been exploding. There's been a lot more Pam focused vendors in the MSP channel. I know that we're all, some of us compete with each other, but at the end of the day, competition is good, competition is healthy, because at the end of the day, we're trying to protect MSPs and their customers and their credentials. So that's why you've been seeing a lot more privileged access management vendors arise in this channel. And we've all been growing healthily and really fast here because I think a lot of MSPs, they know that their current process is no good.
I'm on the phone with MSPs all day and they're like, yeah, we're copying and pasting passwords out of an excel file. We know that we shouldn't be doing that. It's been on our to do list for the last two or three years to change something better in Pam. Let's move forward.
Connor Swalm
It's on your to do list for two years. Is it really on your to do list?
Nick Wolf
That's what I would, yeah. So, so that's what it's looked like up until now.
Connor Swalm
What do you think adoption looks like in the future? Is there going to be any change to the Pam industry?
Nick Wolf
I think it's going to be more mandatory in the future as people begin to take their cybersecurity insurance as well as cIs controls a lot more seriously.
For sure. It's going to be not a nice to have, but a need to have. Otherwise there's potential for fines as well in the future, I'd imagine.
Connor Swalm
Okay, now, Pam sounds like a very wide topic, and as we had mentioned earlier, it's a subset of identity access management and MFA, I'm assuming is somewhere in this big soup of acronyms that we've talked about. Now, where would you recommend somebody go to learn more about this? If they're looking to just learn or implement it or understand it, what would your thoughts be?
Nick Wolf
Yeah, so we have a lot of resources on evosecurity.com around. You know, feel free to check out what your other MSPs, whether it's on Reddit or the IT business owner groups on Facebook, there's a lot of content that's out there and we're happy to engage.
Connor Swalm
Awesome. We'll have a link to y'all's resources in the show notes as well for those of you who want to take a look. One thing I've recommended as well is the CIS control center for Internet Security.
Those are controls that are typically put forth as best practice and then you and I know there's implementation group one, Ig two and IG three, and it's basically like, have you met a baseline? Are you going above and beyond?
Are you incredibly secure? And are you really putting your best foot forward in every way, shape and form?
Have you made it not just a priority, but the priority, so to speak?
So one thing I've always done to learn more is what does it look like to actually implement this in the CIS controls? Because whatever they would recommend is typically what your implementation should look like or something you should try to approximate at the end of the day.
So I have no idea. Do you know off the top of your head which control it is in the CIS controls?
Nick Wolf
There are so many controls. Our CEO actually did a breakout session on CIS controls at the IT nation secure conference back in June. But hey, if you're watching this, hit me up on LinkedIn. I'll be able to send you the breakdown of which individual controls at least we could help you out with when it comes to Pam and CIS controls.
Connor Swalm
Sweet.
And we'll have Nick's LinkedIn in the show notes for all you that are listening. So if you'd like to take a look at the resources on their website, or if you'd like to reach out to Nick and get some one one time or get some of his personal advice, feel free to do so. We'd love it if you did. Thank you so much for joining me today, Nick. It was a blast chatting with you.
Nick Wolf
Thanks for having me.
Connor Swalm
Awesome, see you soon.
Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at Phinsec IO. That's p h I n s E C IO or click all of the wonderful links in our show notes. Thanks for phishing with me today and we'll see you next time.