CBR: What are Privileged Accounts?
ML: Privileged accounts are valid credentials used to gain access to systems in the business. The difference is that they also provide elevated, non-restrictive access to the underlying platform that non-privileged accounts don’t have access to. These accounts are designed to be used by people, applications and machines to deploy and manage IT technology, such as operating systems, network devices, applications and more. They are the keys to the infrastructure, providing access to just about everything, often including the actual data residing on the systems – which is why they are the first thing that attackers and malicious insiders seek to compromise.
CBR: What can cyber attackers do once they have exploited them?
ML: Privileged accounts represent the largest security vulnerability an organisation faces today. In the hands of an external attacker or malicious insider, they allow attackers to take full control of an organisation’s IT infrastructure, disable security controls, steal confidential information, commit financial fraud and disrupt operations. Stolen, abused or misused privileged credentials are used in nearly all breaches.
CBR: What common methods do hackers use to try and obtain privileged credentials?
ML: An attacker’s first step might be targeting an endpoint, which is usually the main entrance point to the network and often has the easiest vulnerabilities to exploit. Verizon analysed 2,260 breaches and found that almost two-thirds of them were made possible by the use of weak, default or stolen passwords.
Other methods used by hackers include spearphishing, an incredibly effective email spoofing fraud attempt, as well as off-the-shelf or custom malware and identity theft.
Typically, an internet infrastructure as a whole will be probed for vulnerabilities, scanning for an access point to be used as a way in. Whatever method is used to compromise the privileged accounts, the goal is the same: to obtain credentials that can allow an attack to escalate.
CBR: What measures should companies put in place to secure their privileged accounts?
ML: There are a number of steps an organisation should take, starting with identifying and reducing the number of privileged accounts in the business. Often organisations have no idea, or vastly underestimate, the number of privileged accounts in their IT infrastructure. Each account that goes unnoticed is another vulnerability waiting to be exploited. Creating an inventory of these accounts is critical – once this is established, unnecessary accounts should be deleted.
Another important security policy to enforce is the principle of least privilege. This means only giving as much power to an employee as they need to do their job. In addition, standard users should only be given privileged access on a case-by-case, as-needed basis.
Secure credentials management and security is a must. Businesses should store privileged passwords in the most secure, encrypted vaulting system available and ensure that privileged account activity is carefully monitored.
CBR: What best practices should companies implement to maintain privileged security?
ML: Basic controls include minimising user privileges to reduce the attack surface, and managing privileged passwords. This includes creating one-time passwords, automatically changing them on a 30 or 60 day cycle, and – of course – making them as complex as possible.
It’s also just as important to monitor privileged accounts, which are consistently targeted by advanced insider and external attackers alike. Having advanced insider threat detection capabilities to recognise unusual activity will help companies to automatically detect and alert on high-risk privileged activity during user sessions and enable rapid response to in-progress attacks.