[BreachExchange] The threat of privileged user access - monitoring and controlling privilege users

Inga Goddijn inga at riskbasedsecurity.com
Wed Nov 9 17:38:03 EST 2016


http://www.scmagazineuk.com/the-threat-of-privileged-user-access--monitoring-and-controlling-privilege-users/article/568490/

The days when cyber-security was an afterthought in the business world are
largley long past us. In our current connected age, it is arguably one of
the most important business issues. New malware and inventive ways to hack
into systems emerge constantly, prompting companies to invest heavily into
keeping their security up to date. However, it also means that while
zero-day exploits and other new tools in the arsenal of cyber-criminals can
be very dangerous, for the most part, security is advanced enough to
provide a reliable protection against most external threats, provided that
you invest sufficiently and follow all the best practices.

However, while denial of service, botnets, malware, ransomware and other
types of external attacks are occupying our headlines, another dangerous
cyber-security threat often goes largely ignored. It is a threat that comes
from within the organisation itself – malicious and inadvertent insiders.
Sensitive financial and personal information regarding your business and
clients can sell for a very large amount of money, and your very own
employees are in the best position to steal it. Insider threats can be hard
to remediate, and even harder to detect in the first place. It is important
to keep an eye on your employees, especially the ones directly working with
valuable data and critical system configuration files on an everyday basis.

However, the most dangerous insiders are usually the most trusted ones –
employees with privileged accounts. Such accounts not only give them
legitimate access to restricted information, but also full control over
their systems, putting them in the best position to commit malicious
actions. And despite investing heavily into cyber-security, not many
organisations put forth the necessary money and specialists needed to deal
with them. Monitoring and controlling privileged user access is a necessary
part of any reliable security system, but to do it right, many companies
will need to change their approach to the problem – from treating it as an
afterthought to taking a more proactive stance in employing best practices
and security solutions <https://www.ekransystem.com/en> to protect your
organisation.
What is a privileged user account?

To understand how to monitor and control privileged users, we first need to
understand what a privileged user account is and how we can identify it.
The term “privileged user account” can be used to describe any account that
gives non-restrictive access to the system. Such accounts provide users
with the ability to access and modify critical system settings, view
restricted data, etc.

There is a variety of different privileged accounts, designed to fulfil
different purposes. Despite the fact that the term is self-explanatory,
some companies have trouble identifying every privileged
<http://www.scmagazineuk.com/global-survey-releases-greatest-security-concerns-and-risks/article/441839/>
account they use. Therefore, it is important to know what privileged
accounts are and for what purpose they can be used.

The easiest way to classify privileged accounts is by the scope that they
allow to control:

●     *Domain accounts* – these types of privileged accounts give
administrative access to all workstations and servers within a particular
domain. Accounts of this type give the highest level of control over the
system, such as the ability to control each system and manage
administrative accounts for each system within the domain.

●     *Local accounts* – these types of privileged accounts give
administrative access to a single server or workstation. They give full
control over the system and are often used by IT specialists to conduct
maintenance of the system.

●     *Application accounts* – these types of privileged accounts give
administrative access to applications. They can be used to access and
manage databases, perform setup and maintenance. These accounts give
control over all the data inside the application and can be easily used to
steal sensitive information.

Privileged accounts can be created to fulfil the following purposes:

●     *Personal privileged accounts* – accounts that give administrative
privileges to a single specific employee. These accounts are often created
for managers or database operators, who work with sensitive information,
such as financial or HR data.

●     *Administrative accounts* – these are standard administrative
accounts created automatically for every system. They are usually handled
by IT or security staff.

●     *Service accounts* – these accounts are created to allow applications
to interact over the network in a more secure fashion.

●     *Emergency accounts* – these accounts are used in case of immediate
problems that require elevated level of privileges to be fixed. Such
problems can constitute disaster recovery and business continuity failures.

Typical users of privileged accounts are system administrators, network
engineers, database administrators, data centre operators, upper
management, security personnel, etc. All of these positions are directly
working with critical data and infrastructure and usually enjoy high levels
of trust from the company. However, this level of access and trust is
precisely what makes them such a dangerous threat to your company.
Danger of privileged user accounts

Elevated level of privileges allows users to perform a wide variety of
malicious actions, from data misuse to completely compromising the system.
Users may use their administrative access to steal sensitive client data
and financial information in order to sell it or even simply leak it
online. Privileged accounts can also be used to modify or delete sensitive
data, opening possibilities for fraud. Tech-savvy users can use such
accounts to install backdoors or exploits allowing them full access to the
system. Disgruntled employees can even bring the whole system down, by
altering critical settings.

However, what makes privileged accounts dangerous is not the extent of
their access, but rather how easy it is for them to perform malicious
action and how hard it can be to detect those.

With legitimate access to sensitive data and system settings, malicious
actions of privileged users are often indistinguishable from their everyday
activity. Such users can easily cover their tracks, and even if they get
caught, they can simply claim that they made a mistake. Therefore,
malicious actions by privileged users can go completely undetected for a
very long time, which will only serve to ramp up damages and remediation
costs when it is finally discovered.

It is also worth noting that malicious attacks are not the only danger when
it comes to privileged accounts. With an extended level of privileges,
mistakes and inadvertent actions can often be just as costly for a company
as a deliberate attack. Simply emailing sensitive data to the wrong person
can cause millions in damages and remediation costs.

Another big concern is the security of such credentials. If
perpetrators can manage to use social engineering or hacking in order to
obtain a privileged account, it will give them access to the whole system.

Therefore, among all of your employees, privileged users pose the biggest
threat. According to the 2015 Insider Threat Report, 59 percent of
cyber-security specialists consider privileged users to pose the biggest
security risk for their organisations. It is paramount for a modern company
to protect itself from insider threats associated with privileged accounts.
What we can do about it?

Privileged users present a unique security challenge, because of how much
control over the system they have. This makes it very hard to get a good
grasp on what they are actually doing and many security tools are not
designed to deal with such users and will prove ineffective in practice.

Ultimately, effective security in this situation comes down to effective
privileged-user management, control and monitoring. You need to employ
right people and right tools for the job and follow the established
industry practices to succeed.

●     *Privileged-user account management* – you need to make sure that all
privileged-users in your organisation are accounted for and that there are
no users with unnecessarily high level of privileges. Make sure to develop
proper creation and termination procedures for privileged accounts.

●     *Privileged-user access control* – you need to know who had access to
privileged account, when and for what purpose. Smart password management,
various forms of multi-factor authentication and access monitoring are
great ways to do privileged access management that will allow you to
thoroughly protect privileged accounts from unauthorised access and
precisely identify anyone who uses such accounts.

●     *Privileged-user monitoring* – recording user actions is the best way
to prevent insider threats and an effective detection tool in case insider
attack has happened. Professional privileged-user monitoring solutions will
provide you with necessary visibility to control every privileged session
and immediately respond to any incidents if they happen.

Insider threats in general and the ones associated with privileged users in
particular require a complex layered approach to deal with them
effectively. By making them an integral part of your security strategy you
will be able to better protect your sensitive data from all sides and
strengthen your overall security posture.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161109/7e45d35b/attachment.html>


More information about the BreachExchange mailing list