How poor privileged account management enables serious security breaches
How poor privileged account management enables serious security breaches
Whether it's the work of an external attacker breaking into the network, or a crooked insider abusing their position, almost all data breach incidents are united by the misuse of user accounts; analysis from Forrester found that 80 percent of all data breaches involved the misuse credentials. In particular, accounts with privileged access pose a serious threat and are one of the most sought-after prizes among attackers. 

Privileged accounts enjoy significantly more powers than normal users, generally allowing both unrestricted access to sensitive and mission critical data, as well administrative control over the network. Gaining control of such an account is a cyber-attacker's dream, enabling them to conduct large-scale data theft or implant malware with little fear of detection.

Accordingly, controlling and securing these accounts through Privilege Access Management (PAM) should be an important element of any organisation's security strategy. This was reflected in Thycotic's report, the 2018 State of Privileged Access Management Security Imperative Risk and Compliance, which surveyed more than 500 organisations around the world.

80 percent of respondents stated that PAM security was a high priority for their organisation, while 60 percent indicated that it was required in order to comply with governmental regulations. Despite PAM being high on most organisations' security agendas however, a worryingly large number of organisations would fail a full audit of their PAM security measures. 70 percent of the companies surveyed had major failings in how they protected their privileged accounts, leaving them vulnerable to potentially devastating security incidents.

The risk of poor PAM processes 

Perhaps the most worrying trend uncovered is the tendency for companies to simply lose track of their privileged accounts; 70 percent of organisations failed to fully discover all of the privileged accounts on their systems, while 40 percent did not undertake any activity to discuss them at all. Having unknown privileged accounts floating around the system presents a huge security risk, as any malicious actor who discovers them can easily abuse their powers while remaining undetected. 

Similarly, 55 percent of companies failed to remove accounts following an employee's termination. Alongside the inherent risk of having dormant accounts on the system, there is also a danger of the terminated employee accessing their old account for malicious reasons – particularly if they parted with the company on bad terms.
Manually discovering and removing unused accounts can be a very time-consuming task, particularly for large organisations that are dealing with years of legacy systems, acquisitions, and mergers. However, automated PAM software can be used to discover all privileged accounts on the system, as well as providing full visibility of accounts on an on-going basis. 

Implementing a least privilege approach to users is one of the most effective ways of reigning in the number of privileged accounts. Each user should only be given as much system access as they need for their job role, and privileged accounts should be kept to an absolute minimum.

All privileged accounts should then be protected with the highest level of security, including strong password management and the use of multifactor authentication. Controls should also be put in place to manage individual session activity, preventing attackers from using privileged accounts to run remote access tools, commands and malicious applications.

Third party threats

The challenges of keeping track of privileged accounts are exacerbated when third parties such as partners and contractors are thrown into the mix. We found that 70 percent of companies failed to properly limit third-party access to privileged accounts, making it a major security blindspot. Companies often treat their contractors along the same lines as their internal employee when it comes to access controls. This can present a serious security risk as a company has far less visibility and control over the security behaviours of a third party.

Contractors and other third parties are often used be used to circumvent the security measures of their intended victim, as demonstrated by the serious breach suffered by retail chain Target after attackers stole the credentials of a heating and ventilation contractor. If an attacker is able to acquire third party login information for an account with privileged access, they can immediately inflect serious damage on the company. Again, a least privilege approach is absolutely essential to managing this risk.

Establishing a PAM lifecycle 

Keeping privileged access accounts secure requires a consistent cycle of review and management. Organisations need to understand their own need for PAM, identify all privileged accounts on the system, and implement controls to protect access and restrict their use. After this, it is essential to have a consistent programme of monitoring privileged accounts for anomalous behaviour that could indicate malicious activity, and quickly respond to suspected compromise. These processes need to be regularly reviewed and refreshed, especially if the security situation at the company changes. 

Implementing a continuous PAM lifecycle will empower an organisation to track and secure their privileged accounts with a high degree of assurance, limiting the threat of either external attackers or malicious insiders from abusing the powers of a privileged account to facilitate a major security breach.

Contributed by By Joseph Carson, Chief Security Scientist, Thycotic

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.