Days when cyber-security was an afterthought in a business world are long past us. In our current connected age, it is arguably one of the most important business issues at the moment. New malware and inventive ways to hack into systems emerge constantly, prompting companies to invest heavily into keeping their security up to date. However, it also means that while zero-day exploits and other new tools in the arsenal of cyber-criminals can be very dangerous, for the most part, security is advanced enough to provide a reliable protection against most external threats, provided that you sufficiently invest in it and follow all the best practices.
However, while denial of service, botnets, malware, ransomware and other types of external attacks are occupying our headlines, another dangerous cyber-security threat often goes largely ignored. It is a threat that comes from within the organisation itself – malicious and inadvertent insiders. Sensitive financial and personal information regarding your business and clients can go for a very large amount of money, and your very own employees are in the best position to steal it. Insider threats can be hard to remediate, and even harder to detect in the first place. It is important to keep an eye on your employees, especially the ones directly working with valuable data and critical system configuration files on an everyday basis.
However, the most dangerous insiders are usually the most trusted ones – employees with privileged accounts. Such accounts not only give them legitimate access to restricted information, but also full control over their systems, putting them in the best position to commit malicious actions. And despite investing heavily into cyber-security, not many organisations put forth the necessary money and specialists in order to deal with them. Monitoring and controlling privileged user access is the necessary part of any reliable security, but in order to do it right, many companies will need to change their approach to the problem – from treating it as an afterthought to taking a more proactive stance in employing the best practices and security solutions to protect your organisation.
In order to understand how to monitor and control privileged users, we first need to understand what a privileged user account is and how we can identify it. The term “privileged user account” can be used to describe any account that gives non-restrictive access to the system. Such accounts provide users with the ability to access and modify critical system settings, view restricted data, etc.
There is a variety of different privileged accounts, designed to fulfil different purposes. Despite the fact that the term is self-explanatory, some companies have trouble identifying every privileged account they use. Therefore, it is important to know what privileged accounts are and for what purpose they can be used.
The easiest way to classify privileged accounts is by the scope that they allow to control:
● Domain accounts – these types of privileged accounts give administrative access to all workstations and servers within a particular domain. Accounts of this type give the highest level of control over the system, such as the ability to control each system and manage administrative accounts for each system within the domain.
● Local accounts – these types of privileged accounts give administrative access to a single server or workstation. They give full control over the system and are often used by IT specialists to conduct maintenance of the system.
● Application accounts – these types of privileged accounts give administrative access to applications. They can be used to access and manage databases, perform setup and maintenance. These accounts give control over all the data inside the application and can be easily used to steal sensitive information.
Privileged accounts can be created to fulfil the following purposes:
● Personal privileged accounts – accounts that give administrative privileges to a single specific employee. These accounts are often created for managers or database operators, who work with sensitive information, such as financial or HR data.
● Administrative accounts – these are standard administrative accounts created automatically for every system. They are usually handled by IT or security staff.
● Service accounts – these accounts are created to allow applications to interact over the network in a more secure fashion.
● Emergency accounts – these accounts are used in case of immediate problems that require elevated level of privileges to be fixed. Such problems can constitute disaster recovery and business continuity failures.
Typical users of privileged accounts are system administrators, network engineers, database administrators, data centre operators, upper management, security personnel, etc. All of these positions are directly working with critical data and infrastructure and usually enjoy high levels of trust from the company. However, this level of access and trust is precisely what makes them such a dangerous threat to your company.
Elevated level of privileges allows users to perform a wide variety of malicious actions, from data misuse to completely compromising the system. Users may use their administrative access to steal sensitive client data and financial information in order to sell it or even simply leak it online. Privileged accounts can also be used to modify or delete sensitive data, opening possibilities for fraud. Tech-savvy users can use such accounts to install backdoors or exploits allowing them full access to the system. Disgruntled employees can even bring the whole system down, by altering critical settings.
However, what makes privileged accounts dangerous is not the extent of their access, but rather how easy it is for them to perform malicious action and how hard it can be to detect those.
With legitimate access to sensitive data and system settings, malicious actions of privileged users are often indistinguishable from their everyday activity. Such users can easily cover their tracks, and even if they get caught, they can simply claim that they made a mistake. Therefore, malicious actions by privileged users can go completely undetected for a very long time, which will only serve to rump up damages and remediation costs when it finally will be discovered.
It is also worth noting, that malicious attacks are not the only danger when it comes to privileged accounts. With extended level of privileges, mistakes and inadvertent actions can often be just as costly for a company as a deliberate attack. Simply emailing sensitive data to the wrong person can cause millions in damages and remediation costs.
Another big concern is the security of such credentials. If perpetrators will manage to use social engineering or hacking in order to obtain a privileged account, it will give them access to the whole system.
Therefore, among all of your employees, privileged users pose the biggest threat. According to the 2015 Insider Threat Report, 59 percent of cyber-security specialists consider privileged users to pose the biggest security risk for their organisations. It is paramount for a modern company to protect itself from insider threats associated with privileged accounts.
Privileged users present a unique security challenge, because of how much control over the system they have. This makes it very hard to get a good grasp on what they actually are doing and many security tools are not designed to deal with such users and will prove ineffective in practice.
Ultimately, effective security in this situation comes down to effective privilege user management, control and monitoring. You need to employ right people and right tools for the job and follow the established industry practices in order to succeed.
● Privilege user account management – you need to make sure that all privileged users in your organisation are accounted for and that there are no users with unnecessarily high level of privileges. Make sure to develop proper creation and termination procedures for privileged accounts.
● Privilege user access control – you need to know who had access to privileged account, when and for what purpose. Smart password management, various forms of multi-factor authentication and access monitoring are great ways to do privileged access management that will allow you to thoroughly protect privileged accounts from unauthorised access and precisely identify anyone who uses such accounts.
● Privileged user monitoring – recording user actions is the best way to prevent insider threats and an effective detection tool in case insider attack has happened. Professional privileged user monitoring solutions will provide you with necessary visibility to control every privileged session and immediately respond to any incidents if they happen.
Insider threats in general and the ones associated with privileged users in particular require a complex layered approach in order to deal with them effectively. By making them an integral part of your security strategy you will be able to thoroughly protect your sensitive data from all sides and strengthen your overall security posture.
Contributed by Marcell Gogan, information security specialist, Ekransystem.com