BreachExchange mailing list archives
The threat of privileged user access - monitoring and controlling privilege users
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 9 Nov 2016 16:38:03 -0600
http://www.scmagazineuk.com/the-threat-of-privileged-user-access--monitoring-and-controlling-privilege-users/article/568490/ The days when cyber-security was an afterthought in the business world are largley long past us. In our current connected age, it is arguably one of the most important business issues. New malware and inventive ways to hack into systems emerge constantly, prompting companies to invest heavily into keeping their security up to date. However, it also means that while zero-day exploits and other new tools in the arsenal of cyber-criminals can be very dangerous, for the most part, security is advanced enough to provide a reliable protection against most external threats, provided that you invest sufficiently and follow all the best practices. However, while denial of service, botnets, malware, ransomware and other types of external attacks are occupying our headlines, another dangerous cyber-security threat often goes largely ignored. It is a threat that comes from within the organisation itself – malicious and inadvertent insiders. Sensitive financial and personal information regarding your business and clients can sell for a very large amount of money, and your very own employees are in the best position to steal it. Insider threats can be hard to remediate, and even harder to detect in the first place. It is important to keep an eye on your employees, especially the ones directly working with valuable data and critical system configuration files on an everyday basis. However, the most dangerous insiders are usually the most trusted ones – employees with privileged accounts. Such accounts not only give them legitimate access to restricted information, but also full control over their systems, putting them in the best position to commit malicious actions. And despite investing heavily into cyber-security, not many organisations put forth the necessary money and specialists needed to deal with them. Monitoring and controlling privileged user access is a necessary part of any reliable security system, but to do it right, many companies will need to change their approach to the problem – from treating it as an afterthought to taking a more proactive stance in employing best practices and security solutions <https://www.ekransystem.com/en> to protect your organisation. What is a privileged user account? To understand how to monitor and control privileged users, we first need to understand what a privileged user account is and how we can identify it. The term “privileged user account” can be used to describe any account that gives non-restrictive access to the system. Such accounts provide users with the ability to access and modify critical system settings, view restricted data, etc. There is a variety of different privileged accounts, designed to fulfil different purposes. Despite the fact that the term is self-explanatory, some companies have trouble identifying every privileged <http://www.scmagazineuk.com/global-survey-releases-greatest-security-concerns-and-risks/article/441839/> account they use. Therefore, it is important to know what privileged accounts are and for what purpose they can be used. The easiest way to classify privileged accounts is by the scope that they allow to control: ● *Domain accounts* – these types of privileged accounts give administrative access to all workstations and servers within a particular domain. Accounts of this type give the highest level of control over the system, such as the ability to control each system and manage administrative accounts for each system within the domain. ● *Local accounts* – these types of privileged accounts give administrative access to a single server or workstation. They give full control over the system and are often used by IT specialists to conduct maintenance of the system. ● *Application accounts* – these types of privileged accounts give administrative access to applications. They can be used to access and manage databases, perform setup and maintenance. These accounts give control over all the data inside the application and can be easily used to steal sensitive information. Privileged accounts can be created to fulfil the following purposes: ● *Personal privileged accounts* – accounts that give administrative privileges to a single specific employee. These accounts are often created for managers or database operators, who work with sensitive information, such as financial or HR data. ● *Administrative accounts* – these are standard administrative accounts created automatically for every system. They are usually handled by IT or security staff. ● *Service accounts* – these accounts are created to allow applications to interact over the network in a more secure fashion. ● *Emergency accounts* – these accounts are used in case of immediate problems that require elevated level of privileges to be fixed. Such problems can constitute disaster recovery and business continuity failures. Typical users of privileged accounts are system administrators, network engineers, database administrators, data centre operators, upper management, security personnel, etc. All of these positions are directly working with critical data and infrastructure and usually enjoy high levels of trust from the company. However, this level of access and trust is precisely what makes them such a dangerous threat to your company. Danger of privileged user accounts Elevated level of privileges allows users to perform a wide variety of malicious actions, from data misuse to completely compromising the system. Users may use their administrative access to steal sensitive client data and financial information in order to sell it or even simply leak it online. Privileged accounts can also be used to modify or delete sensitive data, opening possibilities for fraud. Tech-savvy users can use such accounts to install backdoors or exploits allowing them full access to the system. Disgruntled employees can even bring the whole system down, by altering critical settings. However, what makes privileged accounts dangerous is not the extent of their access, but rather how easy it is for them to perform malicious action and how hard it can be to detect those. With legitimate access to sensitive data and system settings, malicious actions of privileged users are often indistinguishable from their everyday activity. Such users can easily cover their tracks, and even if they get caught, they can simply claim that they made a mistake. Therefore, malicious actions by privileged users can go completely undetected for a very long time, which will only serve to ramp up damages and remediation costs when it is finally discovered. It is also worth noting that malicious attacks are not the only danger when it comes to privileged accounts. With an extended level of privileges, mistakes and inadvertent actions can often be just as costly for a company as a deliberate attack. Simply emailing sensitive data to the wrong person can cause millions in damages and remediation costs. Another big concern is the security of such credentials. If perpetrators can manage to use social engineering or hacking in order to obtain a privileged account, it will give them access to the whole system. Therefore, among all of your employees, privileged users pose the biggest threat. According to the 2015 Insider Threat Report, 59 percent of cyber-security specialists consider privileged users to pose the biggest security risk for their organisations. It is paramount for a modern company to protect itself from insider threats associated with privileged accounts. What we can do about it? Privileged users present a unique security challenge, because of how much control over the system they have. This makes it very hard to get a good grasp on what they are actually doing and many security tools are not designed to deal with such users and will prove ineffective in practice. Ultimately, effective security in this situation comes down to effective privileged-user management, control and monitoring. You need to employ right people and right tools for the job and follow the established industry practices to succeed. ● *Privileged-user account management* – you need to make sure that all privileged-users in your organisation are accounted for and that there are no users with unnecessarily high level of privileges. Make sure to develop proper creation and termination procedures for privileged accounts. ● *Privileged-user access control* – you need to know who had access to privileged account, when and for what purpose. Smart password management, various forms of multi-factor authentication and access monitoring are great ways to do privileged access management that will allow you to thoroughly protect privileged accounts from unauthorised access and precisely identify anyone who uses such accounts. ● *Privileged-user monitoring* – recording user actions is the best way to prevent insider threats and an effective detection tool in case insider attack has happened. Professional privileged-user monitoring solutions will provide you with necessary visibility to control every privileged session and immediately respond to any incidents if they happen. Insider threats in general and the ones associated with privileged users in particular require a complex layered approach to deal with them effectively. By making them an integral part of your security strategy you will be able to better protect your sensitive data from all sides and strengthen your overall security posture.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- The threat of privileged user access - monitoring and controlling privilege users Inga Goddijn (Nov 10)