How To Defend Your Most Valuable Security Targets

Privileged User Accounts – Your Most Valuable Targets

The accounts most frequently used to install software and configure hardware are privileged user and local admin accounts, and are also used for resetting passwords, providing access to sensitive data, and enabling logging into machines in an environment.

Most of these privileged accounts are easy to identify, and easy to target. Knowing that sysadmins, managers, and IT/security staff frequently can access and change much more than the general employee population. It’s important not to develop tunnel vision and lose track of the users in your organization that have sensitive or even critical access levels.

For example, access provisioned by a local admin account can be easily forgotten, yet the provisioned employee(s) who retain administrative rights to their workstations are in fact, privileged users too. These special rights may give these users the ability to make changes (configuration, add or remove applications, and run programs) – and potential attacker can obtain enormous access quite easily by compromising these accounts in your network.

Attackers see these elevated account credentials held by lower-level users as high value targets, and deploy social engineering and phishing schemes. Not only are these elevated account holders are frequently forgotten or de-prioritized by organizations, the risk is compounded because they are held by users with less security awareness than accounts with higher levels of administrative access.

This matters, a lot

It is well known and understood that local admin and privileged user accounts are high-value targets – cybercriminals are always looking to get access to important systems. Access risks can originate from within the organization, which is especially hazardous if the threat is coming from a user with privileged access.

Data makes this clear:

• 34% of data breaches arise from insider actions (simply poor security hygiene, unhappy employees, or in some cases insider espionage)
• 33% of reported incidents are tied to improper privileges
• 20% of breaches are attributed to simply poor password vigilance

(Source: Verizon Data Breach Investigations Report 2019)

Best Practices: Train Privileged Users, Privileged Account Management Vigilance:

Governance Automation

Organizations can dramatically improve their security through the use of a privileged access management (PAM) system to automate governance. PAM tools modify user access credentials only when authorized, and also contain comprehensive auditing and logging. With many PAM solutions available, it’s straightforward to identify a solution right for your organization.

These systems generally include an approval/management component to prevent credentials from being elevated without notifying to others on the network. This is an important failsafe in case an attacker uses a compromised account to modify its privileges.

Security Training

It is well know that the people in an organization frequently represent a security program’s greatest vulnerability. That said, well trained employees can also become an organizations most valuable asset..

Regular user training for the employees accessing your network reinforces the value and importance of security throughout your organization.

Well trained staff members will have internalized critical security practices and less likely to fall prey to hackers accessing lower-level accounts. A compromised user account with even local permissions can become a highly valuable target to a hacker and become just  as dangerous to your organization.

Privileged User Training

Privileged user training or privileged access management training is essential for users that have been granted elevated security privileges. These users require training far beyond the foundational security training that an entire office receives and educates the user on their elevated rights, how to be vigilant given their greater security responsibility within the organization.

Least Privilege Policy

While training users is important, users should only be granted permissions for services they absolutely require access to.

And that means ensuring users have  access to the bare minimum of services they require, which is one of the best ways to minimize the damage a hacker can cause, and block and upward credentialling they might attempt if they do manage to find a way in.

So it’s essential that your organization enforces a “least privilege” policy uniformly.

Password Best Practices

The guidelines here are clear and well documented, ensure your organization embraces these”

• Always use Multifactor Authentication (MFA) wherever available
• Maintain an accurate inventory of all privileged accounts and who has access to them
  • Consider that shared passwords a supervisor might provide to someone else in the organization before going out of town – ensure that those privileges are revoked up that supervisor’s return.
• Create and maintain separate credentials for accounts with elevated rights/system administration. Keep these separate from day-to-day work accounts that don’t require privileged access.
• And of course, change passwords routinely to limit ex-user access
  • This is especially significant if you concerned about retribution from a disgruntled employee—either currently or previously employed.

Proactive Oversight

It’s critical to routinely review and assess user permissions. Performing periodic audits to quantify and monitor who has access to which services can limit the occurrence of unnecessarily elevated privileges.

And people are people, you can’t expect your users to remember to let you know about access they no longer need. Instead, implement a scheduled system for keeping track of access, and be sure to keep those records up to date.

Policy-Based Controls

Finally, establishing and enforcing access policies that clearly spell out your organization’s expectations for the users in your network.

This also includes setting clear expectations around public network usage, social media usage, who can access restricted information, modify passwords and access data. Outlining this all in an acceptable user policy in writing and have users sign this, confirming they understand their responsibilities before provisioning network access.

The agreement should be maintained so it reflects your current security infrastructure and business operations, will serve to manage personal use of company resources, protect your organization against legal action, and help secure your data from threats.

Summary

Local admin accounts and users with elevated access are high-value targets for attackers. As is a best practice in today’s information security climate, quantify your vulnerabilities and focus your activity on protecting your most valuable assets.