Like many other organisations of its type, this client had grown rapidly over the past few years. This resulted in an increase in the number of IT tools and technologies used in the organisation. The organisation reached a point where passwords supporting its critical IT infrastructure were being stored in spreadsheets, disparate password management tools and in “people’s heads”. In addition, some passwords had not been changed or rotated for a number of years.
The organisation proactively ran a Red Team exercise to ‘ethically hack’ itself and identify high risk vulnerabilities. The Red Team testers managed to gain access to some of these passwords which proved to senior management that its critical IT infrastructure was at risk.
It was recognised that a malicious attack or exposure of critical IT infrastructure could lead to serious regulatory, financial, and reputational risk for the organisation, especially if this resulted in an exposure of Personally Identifiable Information (PII).
The organisation realised it required external assistance to resolve this as their existing security team did not have the bandwidth or specialist knowledge to tackle this extensive issue.
We helped the organisation run a Privileged Access Management Project to secure its critical and privileged accounts.
An outline of the stages involved:
- Stage 1 – Project scoping and requirements: This included agreeing success criteria with key stakeholders to clearly articulate what is achievable within the project timelines.
- Stage 2 – Design: High level and low-level solution designs described how the new privileged access management solution integrated with the existing environment. People and process elements were considered to determine how the solution would be maintained and what operational processes were required.
- Stage 3 – Execution: This included implementation of the solution, onboarding privileged accounts into the solution including changing of critical passwords.
- Stage 4 – Service transition: Training and transitioning from the project team to the in-house operational team.
The outcome was that the organisation had an enterprise-grade privileged access management capability to secure its critical accounts, and the removal of password spreadsheets.
The successful initial implementation of the project led us to further help the client enhance the capability in following years, further mitigating the risk of a cyber security attack.