Privileged Users and the Threat of Cyber Attacks
Every privileged account on your network is like a large chef's knife in the kitchen—necessary, but potentially dangerous. Privileged accounts are typically given only to systems administrators and others who need elevated, unfettered access to a network's underlying platform. Overall, that's a good thing. But it also threatens your organization with two major risks:
- Privileged account usernames and passwords can be stolen by cyberthieves from outside of your organization, who can then use this access to steal valuable data or introduce crippling malware into your systems.
- Your own employees can go rogue, becoming malicious insiders who either steal privileged accounts from others, or misuse their own access rights.
Root of all EvilSuch incidents are becoming more common. In fact, one security firm estimates that fully 100% of all advanced attacks are made by exploiting privileged credentials. Damage caused by privileged users or those impersonating them is the most extensive, hardest to mitigate and most difficult to detect because authorized users are doing things they are authorized to do. A Ponemon Institute report involving more than 740 IT security and operations managers, found that nearly half of managers expect the risk of privileged user abuse to increase. Similarly, 60% said they believe their organizations are unnecessarily granting access to users beyond their roles and responsibilities. When asked whether they thought the abuse would come from inside or outside the organization, respondents to the survey were evenly split. Nearly half said it was likely or very likely that social engineers outside their organizations would target privileged users to obtain their access rights. And 46% said it was likely or very likely that malicious insiders would target privileged users to obtain their access rights.
Preventative ActionWhat's the best way to protect against privileged access abuses? You can't simply revoke this level of access. After all, your sys admins need access to your network's inner workings. But you can take some concrete, protective steps. Here are 4 recommended by CERT and the SANS Institute:
- Leverage privilege control tools instead of providing direct access to privileged accounts. Tools like "sudo" for Linux and Unix allow authorized users to obtain root/admin privileges as needed, and are far more customizable than providing blanket access to root/admin accounts. This also simplifies the need to audit user actions and associate particular actions to specific users.
- Enforce separation of duties and the principle of least privilege. The former means not allowing any single employee the ability to perform all privileged actions for a system or application. The latter means granting employees only the bare minimum privileges they need.
- Implement strict password and account policies and be sure to enforce them for all users.
- Log and monitor employees' online actions. It's best to use a variety of techniques to see what actions your privileged users are taking.