The Verizon 2015 Data Breach Investigations Report noted that 96% of the nearly 80,000 security incidents analyzed...
could be traced to nine basic attack patterns that vary from industry to industry. Insider misuse ranked third out of nine, and 55% of the misuse was privileged accounts abuse. The report stated individuals abusing their access privileges occurred in almost every industry; however, the most affected industries were the public, health and financial sectors.
No one wants to admit that trusted employees or insiders have abused their privileged accounts to cause the enterprise harm. Whether for financial gain, retribution or accident, the perpetrators have had access, knowledge, opportunity, time and possibly the advantage of knowing how to go undetected. But limiting privileged access is not an issue of trust. If trust is an issue, the organization should rid itself of that insider. It is a matter of prudent controls and accountability. Luckily there are ways CISOs can deploy controls and assignment of privileged accounts without impairing their ability to perform their job responsibilities.
Challenges with privileged accounts
A vast majority of system administrators, network engineers, technical support staff, database administrators and information security engineers believe that due to the nature of the job, they need full, unrestricted privileged access. The challenge is that they and the enterprise have become so dependent on this level of access, that it is difficult to change. The reasons for this include:
- Privileged accounts are typically the same across multiple platforms and components. If a privileged account can be cracked on one platform, it affects access to the entire environment.
- Some privileged accounts are shared between administrators, which affects accountability.
- Embedded service accounts in application systems make it difficult to comply with periodic password changes dictated by security policies.
- Privileged accounts typically are not subject to the same enterprise password controls, for fear they may be locked out and denied access when it's critically needed.
- Poor change controls, ineffective recovery systems and recurring emergency changes require privileged access to maintain system availability and performance levels.
- Small staffs require administrators to fill conflicting job responsibilities at the network, system, application, security and database administrator levels.
Restricting privileged accounts
Administrators need the ability to access system resources at a level higher than the general user to do their job. For example, any minor change to a network device configuration can impact the entire enterprise. Restricting access can be detrimental to IT operations and system availability. But basic controls such as separation of duties, monitoring activities, change control requirements, least privilege and accountability can still be achieved. Some of these controls include:
- Limiting the number of privileged accounts.
- Not all administrators need domain accounts or super user privileges on external security managers, such as mainframe IBM's RACF, CA-ACF2 or CA-Top Secret.
- Use Active Directory Administrative Groups in assigning privileged accounts.
- Ensure all privileged users use their own accounts. They can have privileged accounts, but they should also use a general user account as long as the assigned administrator owns them.
- All privileged activity should be logged and logs are routed directly to a SIEM so the logs cannot be deleted or modified.
- Administrators should use multifactor authentication for all remote access.
- Sensitive data accessible by administrators should be encrypted to mitigate exposure.
- Administrator passwords should be subject to enterprise controls and enforced by Group Policy Object rules without exception.
- Periodic account certifications should be performed by technical managers to ensure privileged account access is still required.
- Database administrators do not need domain accounts. They need access to maintain the databases, schemas and perform database reorganizations. If they need to modify data, it should be subject to database monitoring.
- Segment the network so administrators are restricted to systems they are responsible for by using firewall VLAN, proxies and ACLs.
- Information security accounts need to dictate security constructs, but they do not need access to read or modify production data. These accounts need to be monitored by a SIEM and activities should be subject to management review.
- Technical managers should not have domain accounts, unless needed because of a staffing shortage. Managers and information security staff should monitor privilege account activity.
- Use data loss prevention tools to monitor activity at the network, server, shares and endpoint levels for data leakage or exfiltration.
There are tools in the market that provide additional restrictions to privileged accounts. These privileged access management systems vary and can be used to augment the above controls. Aside from these systems, limiting the number of privileged account assignments, monitoring privileged account activity, ensuring accountability, separating duties and protecting sensitive data may be sufficient.
Restricting privileged accounts
Restrictions on privileged accounts many times depend on the size of the IT organization. The more administrators there are, the easier it is to restrict access based on least privilege. On a smaller staff where everyone wears different hats, it is more challenging to limit access. However, left without accountability or monitoring, privileged users may go astray. There are three types of controls:
- Preventive controls: Restrict privileged access only to systems and environments the user is responsible for.
- Detective controls: Ensure privileged account activity is complete, secure and monitored by using SIEM or syslog servers not accessible by administrators.
- Corrective controls: Verify sufficient backup and recovery controls are in place to restore systems to normal processing in the event of privileged user misuse.
Use these or a combination of these three controls to realize the right mix in restricting privileged accounts. Security, and controls over privileged accounts, does not have to be burdensome or disruptive. Much of this is commonsense. Thought-out network topologies, access controls, monitoring and recovery procedures can mitigate privileged user risks and still allow them to perform their job responsibilities.
Learn more about how to securely manage privileged accounts
Find out how to get control over privileged identity management in your organization
Learn how to secure cloud authentication credentials