The Perils and Protections of Privileged Accounts

Written by Alex Vakulov.

Privileged users are the Achilles heel of any company. There are specialized IT systems on the market for managing privileged access - PAM (Privileged Access Management). Nowadays, PAM is no longer just about account management; it is a cybersecurity strategy for regulating privileged access and permissions for users, accounts, and processes.

PAM is designed for information security departments to help them enforce their security policies and maintain strict control over all user actions during privileged sessions. It establishes who and what is allowed to access a privileged account and the actions they are permitted to take after logging in. This process encompasses a range of features, including credential management, the principle of least privilege, multi-factor authentication, monitoring and recording of privileged sessions, secure remote connections, and much more.

Regular Accounts vs. Privileged Accounts

A regular account is set up for a specific person, who is the only one supposed to use it. It gives users just enough access to do their job and nothing more. This account usually has a password that the user needs to remember to prevent others from getting in.

Privileged accounts, on the other hand, give some users more control over company systems, like making significant changes or accessing sensitive areas. These accounts can belong to either a person or a system, like an account used to run technical services.

The privileged ones include:

• Domain administrator accounts, which typically manage Active Directory users.
• Local or domain administrator accounts that manage servers.
• System administrator accounts, which help manage databases.
• Accounts that manage Linux/Unix platforms.
• Accounts for running and managing Windows applications and services.
• Network equipment accounts that provide access to routers, firewalls, and switches.

What are Privileged Technical Services Accounts? This is a special category of privileged accounts that require greater rights to execute batch jobs, scheduled tasks across a complex network of applications, databases, and file systems. Many services use privileged accounts to run critical processes. Essentially, service accounts are among the riskiest privileged accounts.

Because these accounts are not assigned to one specific person, usually no one is directly responsible for them, which means their use is not always carefully monitored. This can lead to passwords not being updated regularly and old accounts not being deleted when they are no longer needed, making the system vulnerable to cyberattacks.

The usual person using a privileged account is a system administrator who manages the IT environment or an IT admin in charge of certain hardware or software. A system administrator typically uses privileged accounts to install and update software and hardware, make system configuration changes, reset passwords for other users, and gain access to all computers in a particular environment.

Privileged access management is different from regular access management because it focuses on overseeing the activities of users with higher-level permissions. However, nowadays, the distinction between the approaches and tools used for PAM and standard access management is becoming less clear. Advanced PAM systems offer a unified and secure platform that fits seamlessly into the broader strategy for managing identities and access rights.

Risks of Using Privileged Accounts

Industry experts believe that most security breaches involve these high-level accounts. Even though privileged users get more access to systems, many companies do not keep a close watch on these accounts. Looking after them is usually a manual job that takes up a lot of time for IT staff, and checks on these accounts are often just occasional and irregular, sometimes completely absent.

Password policies leave much to be desired, with some accounts having weak or the same passwords used across different systems. There is also a lack of clear responsibility, as privileged accounts are often used by various IT department members. This lack of oversight creates perfect conditions for hackers. For attackers, getting into an account with extended rights is a big win because it gives them control over important applications and the company's core administrative tasks.

Sometimes, privileged accounts get forgotten. These might be accounts of employees who have left the company but whose access remains active or accounts that are used so infrequently, like test accounts set up during the initial system launch, that they were never turned off.

These overlooked accounts can be a big security problem because they make unauthorized access easier. An employee might find one of these accounts by accident and experiment with what it can do, or they could use it to cause trouble on purpose, especially if they are leaving the company on bad terms or are a malicious insider. According to IBM, privileged accounts were implicated in at least 80% of incidents involving insiders.

The risk gets even bigger if one privileged account is used for multiple applications and services. If someone with bad intentions gets into this account, they could potentially take down all the applications and services it has access to.

Clever attackers who get into a network might not immediately make any obvious harmful moves. Instead, they could keep a low profile and take time to learn about the IT infrastructure and how information moves around in the company. If they get control of a privileged account, they might stay under the radar for months, acting like they are part of the team. And once something bad does happen, figuring out where the problem started can be really tough.

In addition, attackers, after seizing a privileged account, can use remote access tools in order to always be able to connect to the company's system and carry out destructive actions for a long time.

Attackers can use privileged accounts to spread viruses on a company's network, steal confidential data, turn off company systems and equipment, or disable access to them. You should always remember that, given the increased level of access, hacking a privileged account compared to a regular user account can lead not just to a violation but to a cyber disaster for the enterprise.

How Attackers Acquire Privileged Account Access

Social Engineering

Employees often get tricked by phishing emails that look real. For example, they might get an email that seems to be from a business partner talking about new contract terms and asking them to click a link or open a file to learn more. When they do this, they might accidentally download a virus. Once attackers breach the company's network by using a regular employee's account, it is just the beginning. They use this as a stepping stone to go after privileged accounts.

Improper Editing of Access Control Groups

Another method for getting high-level access is simply by adding a regular user to a group with lots of privileges in a system or within the Active Directory service. By tweaking the Group Policy, a user could get their hands on sensitive information or gain entry to a bunch of restricted areas.

Brute Force Attacks

Attackers use password-guessing attacks to try and get past login screens by verifying the authenticity of a password until they successfully guess one. They often use specialized software that can run through thousands of possibilities quickly. In a similar way, they carry out username-guessing attacks with the help of special dictionaries filled with lots of potential usernames, trying to find one that is real on a network.

All companies set up defenses like antivirus software, firewalls, and intrusion detection systems (IDS) to guard against external threats. However, this is not enough. Attackers can snag employee login details due to the constant exchange of information between workers and poor cyber hygiene.

The Role of PAM in Protecting Against Privileged Access Risks

1. Identification of Privileged Accounts

The system lets you identify who has access to your servers, where and when they can connect, and the protocols they use. You can create multiple access policies for accounts across various systems.

2. Access via Multi-Factor Authentication

Password authentication alone is no longer sufficient for high security. Additional authentication factors are used based on the importance of the system or data. With MFA, accessing an account with local admin rights requires a one-time code from a device the user possesses, like a hardware or software token. For accessing critical network equipment, a third factor, such as biometrics - fingerprint, palm vein patterns, facial recognition - can also be employed.

3. Access Only to Specific Resources and Accounts

Users with overly broad access are sometimes tempted to misuse it. Numerous high-profile security incidents involving thefts and leaks have repeatedly demonstrated it. A Privileged Access Management system allows for the creation of tailored access control policies. You can establish various user and administrator groups, each with specific rights. Access permissions can be assigned based on asset groups and the operations permitted on those assets, such as viewing, editing, or deleting.

4. Privileged Account Password Management

Privileged users can log into a system using their regular login details and seamlessly gain privileged access without needing a second login. This is achieved by using a different set of access keys and passwords that remain invisible to the user, a process known as automatic privileged credential substitution. This method of authorization strikes a balance between high-level security and user convenience. Additionally, passwords used for privileged users can be changed after each access session or according to a configured schedule.

5. Secure Storage of Privileged Session Data

Access credentials, including keys and passwords, along with privileged session data, are securely housed in a specialized repository. This sensitive data is stored and communicated using strong encryption algorithms to ensure its protection.

6. Privileged Session Management

As an example, consider a scenario where an internal administrator must approve a privileged user's access, such as a subsystem administrator with restricted privileges. The administrator logs into the system and awaits the green light from the responsible employee. Once authorized, the administrator can work in the restricted access system.

7. Setting up Access for Partners and Contractors

Today, many companies outsource the maintenance of applications, grant system access to external vendor developers or integrators, and rely on external suppliers for database management. Granting external contractors wide-reaching access to company systems poses significant security risks and makes monitoring those outside the organization's physical premises challenging. PAM systems can mitigate these risks by restricting third-party access to only essential resources and enforcing time-bound limitations on such access.

8. Warning Administrators About Various Privileged Access Events

Privileged Access Management systems can be configured to alert a security officer for important events like failed privileged account authentications, etc. This allows each incident to be analyzed quickly and individually and mitigates potential negative outcomes.

9. Terminating a Privileged Account Session

The Privileged Access Management system enables real-time monitoring of administrators' activities. Should any unauthorized actions by a privileged user be detected, the session can be terminated instantly.

10. Monitoring and Logging of All Privileged Actions in Systems

PAM systems record and securely store operational logs out of the user's reach, allowing for complete playback of an employee's activities within the system. These logs capture critical details like timing, subjects and objects of access, and the specific actions performed on accessed objects. The system includes textual session logging with search functionality, video recordings, and screenshot capture, all indexed for easy retrieval and review. Such detailed record-keeping ensures that the data is not only helpful for security and oversight but also can be used for legal purposes.

Developing a Secure Strategy for Privileged Access: Where to Begin

Every plan is the first step to turning a vision into reality. When it comes to managing privileged access, it all begins with strategic planning. It is advised to start by addressing some fundamental questions:

1. Which Accounts Are Considered Privileged?

Create a detailed map that pinpoints the systems' critical functions and the data they hold, identifying which systems are essential to remain active or be promptly recovered in a crisis. Following this, it is crucial to catalog the existing privileged accounts associated with these systems. Classifying these accounts early on is smart management - it gives you insight into the privileged accounts already in play and helps set the priorities for their oversight.

2. Who Needs Access to Privileged Accounts?

It is necessary to categorize all access into four distinct groups: employee, application or service, system accounts, and infrastructure accounts. By doing this, you can more accurately identify the security measures that must be implemented for each type of privileged account.

3. Do Third-Party Employees Need Access?

This group of users presents the highest risk since company policies do not govern external employees and can pose a threat. It is vital to establish clear standards for this group, defining how access is granted and its duration. There must also be prompt processes for withdrawing access once the contract with third-party personnel expires.

4. Is It Necessary to Set a Time Limit for Using Privileged Rights?

Some accounts with elevated privileges are only needed at specific times, such as at the end of a business day, month, or year, for system updates or scheduled vulnerability scans. It is easier to spot irregular usage patterns with this information. Ideally, access to these accounts should be restricted during non-essential periods.

5. What Happens When a Privileged Account Is Compromised?

Many businesses are caught off guard by cyberattacks, underscoring the need for a response plan if a privileged account is breached. It is important to outline the immediate actions that should be taken to minimize damage and secure the systems.

6. How to Protect Yourself From Internal Threats?

Developing a strategy to safeguard against internal threats is essential, as security issues often arise from within an organization. It is important to implement access control policies where most employees do not have simultaneous access to all critical systems. Access should be limited to the minimum necessary and promptly reassessed when an employee changes roles to ensure that any elevated privileges are appropriately removed.

7. Is There a Special Section in the Company's Security Policy Regarding the Use of Privileged Access?

It is common for companies to have a general policy covering all aspects of access control, yet not all have a dedicated document or section for managing privileged accounts. Implementing such a document is a good idea. It should address all management and control issues of privileged access and clearly outline responsibilities.

8. Are There Any Regulations/Requirements That Must Be Observed?

Many companies, particularly in the financial sector, are required to conduct regular internal and external audits. By proactively developing and enforcing policies for privileged access management, you will be well-prepared to effectively present these strategies to auditors.

9. What Data Is Needed for Monitoring and Reporting?

By identifying the key data to be analyzed for managing privileged access in advance -including the number and distribution of connections, user classifications, actions taken during privileged sessions, and authorization errors - you can reduce the risk of anomalies and mitigate negative consequences. If an incident does occur, it will be much easier to quickly determine the reasons using ready-made reports.

How to Implement a PAM Strategy

Phishing emails, social engineering methods, and remote work have become commonplace today. Therefore, it is vital to begin your PAM efforts by educating employees on safe practices for handling company resources. Security awareness training is particularly vital for personnel working with privileged accounts, which demand enhanced security and oversight.

Draft and ratify a comprehensive document detailing your company's protocols for managing privileged access. This document should cover account classifications, procedures for creation and revocation, monitoring, and reporting guidelines.

Ensure that privileged accounts are secured with robust passwords. There have been instances where administrative accounts are assigned simple passwords that rarely get changed. It presents a serious issue that hackers can exploit.

Moreover, restrict privileged access to the greatest extent possible. Grant access to specific users for designated resources and only for a certain period of time.

Avoid automatically assigning privileged account access based solely on job titles. Establishing a new privileged account and granting access should follow an established, formally approved procedure that includes required authorization.

Keep a close watch on privileged work sessions to detect malicious activities promptly and take appropriate action.

Ensure the prompt revocation of privileged access when it is no longer necessary, such as when an employee changes roles or when a contract with an external worker ends.

Manually overseeing privileged access is often inefficient and prone to mistakes and delays. Moreover, manual oversight becomes unsustainable with company growth. It is advisable to consider adopting an automated system and selecting a trustworthy partner to manage privileged access effectively and mitigate information security risks.

Choosing the Right Solution and Reliable Partner

When assessing solutions for managing privileged access, it is crucial to determine their adequacy for your organization's needs. Here are some essential considerations:

• Does the solution comprehensively meet your company's privileged access management needs, or will it require additional development and extra costs for such customizations?
• Will the solution's user experience streamline operations or add complexity?
• What is the expected return on investment timeline for the solution?
• Does the vendor offer robust technical support?
• Are the solution's updates aligned with the evolving threat landscape?
• Can the solution scale in response to your organization's growth and changes in the IT environment?
• Is there potential for integration with other security systems, such as Identity Management (IdM) Security Information and Event Management (SIEM) systems?

Conclusion

Misusing privileged accounts presents a critical threat to any enterprise's security, with attackers exploiting such access to cause extensive damage and remain undetected for long periods. To mitigate these risks, companies must implement comprehensive PAM strategies, continuously educating employees, securing accounts with strong passwords, monitoring usage, and integrating advanced solutions for rigorous oversight and control.