Privileges facilitate essential operational functions across an enterprise, enabling users, applications, and system processes elevated rights to access specific resources and complete work-related tasks. Yet, the potential for misuse or abuse of privilege by insiders, malware, and external threat actors presents considerable cyber risk that is inadequately managed across many organizations. Forrester Research estimates that 80% of security breaches involve privileged credentials (passwords, tokens, keys, and certificates.).
Consider for a moment all the places where IT privileges exist or are requested across the organization. Privileges for various user accounts and processes are built into operating systems, file systems, applications, databases, hypervisors, cloud management platforms, DevOps tools, and more. Privileges can also be delegated by various privileged users.
Hackers, malware, third-party vendors and remote workers, malicious insiders, and simple user errors, comprise the most common privileged threat vectors. Cybercriminals target privileges because they can fast-track access to the most high-value targets across an organization. With privileged credentials and access, a cyberattacker or piece of malware essentially becomes an “insider”, who can make system and file changes, move around, escalate permissions, and even erase their tracks.
Typically, an external threat actor proceeds in the following manner (known as the cyberattack chain):
- Attack the perimeter and exploit asset vulnerabilities
- Hijack privileges and attempt to escalate access
- Use privileges and credentials to move laterally, and extract data or compromise resources
Attackers will exploit vulnerabilities and user privileges to gain a foothold. They then solidify their presence by laterally moving through the network, looking for opportunities to escalate their privileges, acquire additional credentials, and take control of more assets and sensitive data as they proceed.
Common Privileged Threat Vectors
Gartner recognized privileged account management as the #1 IT security project for 2018, and in a Feb. 2019 report, acknowledged PAM as #2 in the information security space for spending growth. So, while privileged threat vectors are now firmly in the IT security spotlight and organizations are taking a closer look at maturing their privileged security controls, for most, there is much work to do. Privilege blind spots, backdoors, and careless practices abound. Here’s an abridged list of common problem areas:
- Over-provisioning of privileges: Simply put, too many users have excessive access, which equates to a bloated threat surface. IT admins routinely over-provision end users with broad sets of privileges. In the case of Windows PCs, users often log in with administrative account privileges. Once the account is compromised, the attacker can leverage whatever privileges were inherent of the account.
- Lack of awareness of privileged accounts: Unknown privileges and unmanaged privileged accounts provide dangerous backdoors for attackers, including former employees who have left the company but retain access. Applications and service accounts often fly under the radar. These accounts may automatically execute privileged processes to perform actions, as well as to communicate with other applications, services, resources, etc.
- Hardcoded and embedded credentials: Applications, systems, network devices, and IoT devices commonly have embedded and/or default credentials. These credentials may be reused across many like devices. Often, the passwords are well-known to cybercriminals and may be easily guessable. Additionally, developers, DevOps team members, and others also frequently hardcode plaintext secrets into scripts, codes, or files, for easy access when they need it.
- Shared admin accounts: Sharing privileged credentials is a common practice across IT teams, but this makes it difficult, if not impossible, to track privileged activities performed via an account to a single individual—which creates problems for security, auditability, and compliance.
- Lackluster enterprise password management practices: With thousands to millions of privileged credentials strewn across heterogenous systems (Windows, Mac, Unix, Linux) and hybrid environments, human processes are ill-equipped to scale. Humans often resort to dangerous shortcuts (e.g. reusing passwords or SSH keys across servers, assets, and accounts, or storing passwords in documents, spreadsheets, or code) that could result in a far-reaching compromise.
- Reliance on free, unsupported tools like sudo: Many tools, like sudo, provide just enough functionality to allow small organizations to “get by” with administration. However, often these tools but have serious shortcomings that become more glaring as complexity and scale increase. It doesn’t take much to outgrow sudo. Aside from being time-consuming and complex to use, sudo lacks file integrity monitoring, log security, and centralized management capabilities. These are key deficiencies, especially when considering that this tool is used across Unix/Linux environments that are likely to an organization’s most sensitive systems and assets.
- Third-party vendor /remote access: Whether its employees working remotely, or third-party vendors—remote access opens up dangerous attack pathways and presents one of the trickiest cybersecurity VPNs are often used, but don’t provide a granular means of managing privilege. Some of the largest breaches (Target, Home Depot, Wendy’s, Anthem, etc.) in recent years have originated from vendors due to insufficient access controls.
Maturing Your Privileged Access Security
The biggest and most sustainable privileged access security improvements will most likely occur when you make the leap from manual processes to automation, such as via a privileged access management (PAM) solution. The more automated your privilege security controls, the more consistent your policy enforcement and the more effective your risk reduction. This approach will also help you dynamically optimize privileged access in a way that is invisible to end users, while enabling them to stay secure.
So, what aspects of PAM should you prioritize? Here are six areas where you can make a substantial impact in eliminating privileged threat vectors and improve your risk management. You could potentially address these via a holistic PAM solution all at once, or phase in automation across each of the six areas separately over time.
- Scan to identify all privileged accounts and credentials and bring them under centralized management: This should include IT admin (root, domain admin, network admin, etc.) and end-user accounts, application and service accounts, SSH keys, database accounts, cloud, and social media accounts. Discovery should traverse your entire IT ecosystem. This process should be routinely performed since new systems, users, and applications can emerge at any time.
- Enforce least privilege: Users, applications, and processes should possess no privileges beyond what they absolutely need to perform their role/activity. Endpoint privilege management helps accomplish this by eliminating admin rights from all users, while dynamically elevating application access on a case-by-case basis (such as via whitelisting, etc.). Privileges should also be time-limited. For instance, privileges can be elevated until a task has been completed, and then subsequently revoked. Implementing a least privilege environment will drastically condense your attack surface—helping to prevent or mitigate many of the most common threat vectors. Enforcing privilege separation, (segmenting different privileges across various users, accounts, etc.), complements least privilege in further reducing the potential for lateral movement by a threat actor.
- Apply privileged password management best practices with consistency: Privileged credentials should be unique, complex, never reused or repeated, and centrally secured in a password safe. While it is no longer a best practices to change passwords for personal, non-privileged accounts, password rotation remains a best practice for privileged credentials. The more sensitive the password, the more frequently it should be rotated. Passwords should also be automatically changed in response to specific threats, and checked back in after each use. While long, complex, and unique passwords help thwart dictionary and other password guessing attacks, password rotation protects against password reuse attacks. SSH key management, application password management (which includes eliminating embedded/hardcoded passwords), and DevOps secrets management, are also important capabilities. Ideally, you can leverage all of these capabilities via one solution.
- Monitor and manage privileged sessions: All activities that involve elevated access or permissions should be diligently monitored and managed, a process referred to as privileged session management (PSM). This is important for both IT security, as well as compliance. Some PSM solutions even allow you to pause suspicious sessions until they can be deemed legitimate or illicit.
- Extend security best practices over privileged remote access: This is such a critical, yet often overlooked, area of security. Ideally, your PAM tool will enable you to extend privilege management controls beyond the perimeter to wherever your workers or vendors are. Permitting remote access should never mean letting down your guard.
- Continuously find and fix privileged vulnerabilities: Without a robust approach to uncovering and addressing vulnerabilities, many of your other security investments will be rendered useless. Regularly perform vulnerability assessments and scans to identify weaknesses (including embedded credentials, default credentials, stale passwords, misconfigurations, and other flaws), and patch regularly. A strong vulnerability management approach will help keep attackers from gaining that initial foothold in your environment.
The security industry’s top independent analysts have all recently issued research on privileged threats and PAM. Check out these reports now to learn more about PAM and the industry’s top vendors:
This blog was brought to you by our partner, BeyondTrust, the worldwide leader in privileged access management. BeyondTrust is a valued sponsor of Camp Secure Sense.
BeyondTrust offers the most seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access. Our extensible platform empowers organizations to easily scale privilege security as threats evolve across endpoint, server, cloud, DevOps, and network device environments. BeyondTrust gives organizations the visibility and control they need to reduce risk, achieve compliance objectives, and boost operational performance. We are trusted by 20,000 customers, including half of the Fortune 100, and a global partner network.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions, want to learn more about our services or just want to chat security please give us a shout.
You can also find us on Twitter, Facebook, LinkedIn.