Q

To protect privileged users, consider using least privilege principle

To defend against "laterally" moving attackers, consider granting privileged users the least privileges necessary. Expert Nick Lewis explains how.

I've read that attackers who make use of spear phishing generally target system and database administrators so they can move "laterally" through a network with privileged credentials. Are there specific methods that enterprises can use to defend such privileged users?

Ask the Expert!

SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

System admins and root accounts have always been among the favorite targets of attackers because once they obtain that level of access, they can install rootkits, capture passwords, access password hashes, access all data and more. Perhaps most importantly, an attacker could gain access to an organization's sensitive data by moving "laterally" through the network.

For those who haven't heard the term before, moving laterally means to explore a network once access has been established. Attackers move from one system to another in search of ill-gotten gains as well as to stay one step ahead of detection. Once an attacker has full access to the network, lateral movement is hard to detect and harder to stop. Implementing a separation of duties will not thwart the attack if the compromised admin account can gain access to other admin accounts. As is often said in the world of InfoSec, an attacker getting the keys to the kingdom can mean "game over" for an organization.

Enterprises can consider taking several steps to minimize this risk, including implementing strong authentication, monitoring administrative accounts and using the least privileges necessary for managing the data and network. Employing strong authentication methods, such as two-factor authentication using a smartcard or a one-time password generator, can make it more difficult to capture passwords or forge authentication credentials. In Windows, passwords for the last 10 or more accounts that have logged in can be cached and if cracked, those passwords can be used to move laterally throughout a network as described above. Malware with keyloggers are less effective on two-factor hardware tokens because of the additional protections from the hardware design.

Monitoring administrator accounts will not stop an account from being used laterally, but it will help identify when an admin account has been compromised. For example, if an admin account only logs in on the local console, but there is a log entry for a remote login, the situation might be something to investigate further. Using the least privilege necessary is good advice not only for normal users, but also for admins. If administrators don’t need full admin access to perform their duties, they should not be using a full admin account; instead, they can be limited to just the access necessary to perform their job. For example, if an operator only needs to be able to reboot a server, but not apply patches or make configuration changes, this person would only need to be granted access to reboot the system rather than full admin access.

This was first published in March 2014

Dig deeper on Enterprise User Provisioning Tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close