MY TAKE: A path for SMBs to achieve security maturity: start small controlling privileged accounts

By Byron V. Acohido

The challenge of embracing digital transformation while also quelling the accompanying cyber risks has never been greater for small- and mid-sized businesses.

Related: How ‘PAM’ improves authentication

SMBs today face a daunting balancing act. To boost productivity, they must leverage cloud infrastructure and participate in agile software development. But this also opens up a sprawling array of fresh security gaps that threat actors are proactively probing and exploiting.

Somehow SMBs must keep pace competitively, while also tamping down the rising risk of suffering a catastrophic network breach.

There’s a glut of innovative security solutions, to be sure, and no shortage of security frameworks designed to help companies mitigate cyber risks. Leading-edge cybersecurity systems in service today apply machine learning in some amazing ways to help large enterprises identify and instantly respond to cyber threats.

However, this is overkill for many, if not most, SMBs. Day in and day out their core security struggle boils down to making it harder for intruders to attain and manipulate remote access. And it doesn’t take enterprise-grade security systems to accomplish this.

I’ve had several discussions about this with Maurice Côté, vice president of business solutions at Devolutions, a Montreal, Canada-based supplier of remote desktop management services. We talked about how Devolutions has been guiding its SMB customers to combine tried-and-true remote desktop productivity functionalities with very basic privileged access management (PAM) modules.

For a full drill down on how this approach is helping SMBs materially and quantifiably improve their security posture, please give the accompanying podcast a listen. Here are the key takeaways:

Lower-tier hacks

 No organization wants to find itself having to recover from a devastating ransomware hack – or dealing with an unauthorized intruder who has usurped control of its operational systems. Yet these types of deep network breaches happen every day. The Colonial Pipeline ransomware debacle and the near poisoning of the Oldsmar, Fla. water supply are stark reminders of the unceasing activity of cyber criminals seeking financial gain or who are driven by ideological or political imperatives.

What hasn’t gained as much public attention is a secondary level of cyber attacks that surges every time the hacking community uncovers a fresh vulnerability. These hacking waves contribute to the harvesting of account credentials and unauthorized access to loosely-configured servers; and these ill-gotten assets can, in turn, be utilized to execute different stages of  higher-level hacks, such as account takeovers and ransomware campaigns.

The ongoing waves of Microsoft Exchange ProxyLogon hacks are a good example of these lower-tier attacks. The details tell a larger story: ProxyLogon refers to a critical vulnerability discovered in Microsoft Exchange mail servers at the start of this year. Microsoft issued an emergency security patch for the ProxyLogon flaw and did everything it could to promote the timely patching of some 400,000 Exchange servers worldwide. But that only served as a dinner bell to criminal hacking rings.

ProxyLogon hacks skyrocketed in February and March and have yet to fully abate. Even before Microsoft issued the critical patch, the global hacking community, both white hats and black hats, knew all about ProxyLogon. In fact, even as Microsoft was scrambling to develop the patch, one criminal ring, Hafnium, was busy scaling up their distribution of a potent exploit.

Hafnium was able to compromise 68,500 Exchange servers – before Microsoft issued its patch on Feb. 27. Keep in mind Hafnium is just one of dozens of hacking gangs continuing to have a field day exploiting unpatched Exchange servers, and many of these attacks are specifically targeting small businesses and state and local governments, according to reporting from the Wall Street Journal.

Remote desktop risks

So how can any SMB protect itself in such a virulent threat landscape? The answer is not to accelerate migration to cloud-based IT infrastructure and thereby pitch the security burden over the fence to the folks running Amazon Web Services, Microsoft Azure and Google Cloud.

The same core challenge of balancing productivity and security is arguably even more pronounced for SMBs migrating to cloud infrastructure, who then must step up to meet their shared responsibility for securing cloud assets. That’s no small task.

Côté asserts that SMBs would do well to go back to basics with respect to how they’re implementing remote desktop connections (RDC) and implementing PAM. This applies to established companies migrating to cloud infrastructure as well as to digital native startups.


“These are simple steps to take,” he told me. “You can start small and control as many of these privileged accounts as you see fit and get on a path to  becoming full-fledged mature in all aspects of cybersecurity.”

Some context about remote desktop controls: Back in 2001, when company networks were assembled around on-premises data centers, Microsoft began including RDC in all versions of Windows. The software giant’s intent was to make it more convenient and efficient for system administrators to perform Windows upkeep. RDC emerged as a go-to productivity tool, and similar controls swiftly emerged for Macs, IoS, Android and other operating systems in wide use.

This development turned out to be yet another dinner bell for criminal hackers; they quickly figured out that by hacking in through RDC, they could embed and run malicious code far and wide from deep inside the breached network. Today gaining remote desktop control is one of the first things hacking rings will try to accomplish, as it gives them a direct path to taking full control of endpoints and servers.

Basic PAM needed

So why don’t companies simply keep an eagle eye on all remote desktop connections? That’s much easier said than done. It gets back to the central difficulty of balancing productivity and security in a competitive, complex and fast-changing digital landscape.

In fact, PAM technology came on the scene around 2005, as a subset of identity access and management (IAM) systems. PAM was specifically aimed at helping companies get a better grip on privileged accounts which at the time were spinning out of control.

PAM tools help companies discover and manage access to sensitive accounts. At a very basic level PAM does this by implementing multi-factor authentication and proactively managing passwords for privileged users and for the users of shared privileged accounts.

Over the past couple of years the leading PAM vendors have added the capacity to crunch massive amounts of data and apply intensive data analytics on the fly, all in the service of helping enterprises instantly impose granular access rules at a vast scale.

Such advancements are all fine and well for large enterprises, at it helps them preserve agility while improving security. But they’re not terribly helpful to SMBs, Côté says.

“Not many of our customers have operations that fit these advanced scenarios or are even aware of the capabilities of these advanced PAM suites,” he says. “What SMBs really want and can use are basic PAM modules like password vaulting, password rotation and account discovery that are well-executed.”

Password vaulting and password rotation techniques and best practices are well-understood and lend themselves well to automation at a scale that makes sense for SMBs, he says. They function as essential daily hygiene that can help blunt the onrush of credential stuffing and email phishing campaigns targeting SMBs.

And account discovery refers to building and maintaining a comprehensive inventory of all privileged accounts. This is ground-level visibility that serves to deter shadow IT, the unauthorized creation of new privileged accounts by insiders trying to take shortcuts, as well as by intruders lurking about with malicious intent.

Password concierge

Devolutions got its start delivering a remote desktop management tool that covered all types of connections. Its major innovation was to consolidate the remote access controls for disparate systems on a backend database; thus, its core service remains a productivity enhancement play.

As security began to emerge as the flip side of productivity, the company found that basic PAM modules were a perfect fit for its distinctive approach to remote desktop management. “We found that remote desktop manager makes the PAM modules all the better,” Côté says.  “We send all credentials through the remote desktop manager, and it acts as a concierge opening the door for you without giving you the key.”

Once an access session is completed remote desktop manager locks down the account and rotates the password. “So even if the user manages to get a hold of the password, it’s invalid as soon as he’s done,” he says.

Going back to basics almost always is a good idea. It makes good sense that guarding remote access more closely and implementing basic PAM more consistently can go a long, long way towards helping SMBs boost security in a dynamic marketplace teaming with malicious actors. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone