by Morey Haber, CTO, BeyondTrust
People are organizations’ most valuable resource. But they can also be its greatest vulnerability, especially when armed with weak credentials, all-too-powerful privileged accounts, and security ignorance or hubris. The problem is simple—too many users have too much access. In fact, a recent survey we conducted revealed that 38% of organizations grant admin rights to their workforce by default, despite 79% saying it is a major security risk.
So, while most organizations focus ample security resources on controlling and protecting the boundaries of their networks, many pay inadequate attention to what’s happening on the inside. Today’s threats just burrow under or through perimeter defenses, exploiting key individuals and fault lines within an organization to cripple the entire structure. To combat these, organizations must be able to monitor for suspicious behavior, take the destructive potential out of users’ hands, and become “Privilege Ready” by adhering to five best practices.
Fix vulnerabilities and reduce the attack surface
The first step to Privilege Readiness entails ensuring that the system and application vulnerabilities that could open pathways into your environment are prioritized according to risk. Vulnerabilities should be patched regularly, and this process should be automated, if possible.
Enable whitelisting to ensure that the only applications running are those that come from a trusted source. Closing off these inroads reduces the attack surface, making it considerably more difficult for an outside attacker to gain that initial foothold that would enable them to become an insider.
Adopt the principle of least privilege
The second key piece of Privilege Readiness is to adopt the Principle of Least Privilege. Any end user or application should be granted the minimum possible privileges and rights they need to perform their role or function. While it might seem more efficient to grant users as much leeway as possible when working on the organization’s network, this proves to be unjustifiably risky in practice.
Least privilege doesn’t only apply to those who use these accounts, but also to how and when the accounts are being used. Role-based access control is key to helping the least privilege work as smoothly as possible. This ensures an optimal balance between access and security while making the actual process seem invisible.
A tiering model for access, in which even admin accounts only have access to the rights they need, will also help. This will limit the size of those highly privileged targets, meaning that it will be that much harder for attackers to escalate their capabilities when attempting to laterally move through your network. Admin accounts should be used separately from day-to-day, “non-privileged” accounts and only when a task requires their wide-ranging powers. This practice is referred to as privilege separation.
As Tier 1 Unix and Linux servers handle critical data, it’s important to limit the potential for lateral movement. Broad access rights to these resources can equate to almost uncapped risk potential, jeopardizing your most sensitive data and assets. Either enable users to log in as themselves and elevate specific activities that they can perform, or delegate specific, granular privileges.
Organizations should also consider implementing time-based privileged access controls to prevent access at irregular hours, meaning that attackers will find it more difficult to assume powerful accounts at night or on weekends when no one is looking.
Network segregation is also included under the concept of least privilege. This involves segregating the parts of your network that do not need to be interacting. This security measure impedes lateral movement by eliminating pathways.
Protect privileged accounts and credentials
Your highly privileged and shared accounts must be discovered, grouped for easier management, monitored, and audited. Passwords must be strong, unique, and rotated regularly. Furthermore, when using work services, passwords should only be entered into approved devices that can ensure the security of those credentials.
Additionally, you should eliminate hard-coded/embedded credentials where possible and, if not, these credentials need to be watched closely in real-time. While passwords present an intrinsic weak link, a variety of solutions— multi-factor authentication, single sign-on, and biometrics—can bolster security and help prevent lateral movement within the network.
Enhanced authentication security should be applied for any internet-facing service or high-risk account. You should strongly consider the use of automated password managers to cut down on the storage of passwords in plain text/embedded in the code and to provide better enforcement around password security.
Report on user activity and monitor critical resources
Regardless of how you manage privileged access, ensure that all privileged activity is logged and monitored. This entails implementing session recording and other technologies, which can be accomplished, to some extent, by setting up screen recording and other manual processes. However, session reporting and management quickly become untenable in environments with hundreds or thousands of concurrent sessions. Automated privileged session management and monitoring solutions can enable streamlined visibility and control over privileged access to servers, databases, and network devices while capturing keystrokes, text/graphical screen output, and mouse movements.
To gain deeper visibility into risk, correlate the privileged user activity reporting against other behavioral metrics. This will help you spot risky users, compromised accounts, and abnormal access by flagging suspicious behavior in your environment. Auditing and reporting can also be automated against compliance objectives by highlighting directory changes that would threaten security or hamstring compliance, giving you the clarity and detail demanded by regulatory regimes such as GDPR.
Automate wherever possible
While it is possible to forge a path to Privilege Readiness through manual processes and by accumulating and implementing multiple tools, nearly the entire pathway to Privilege Readiness can be automated. By applying automation throughout each step—from managing vulnerabilities and enforcing least privilege, to managing privileged accounts and conducting advanced threat analysis—you can vastly reduce your organization’s attack surface and become Privilege Ready.
You should always assume that an attacker with enough time and resources will eventually be successful. When that does happen, it’s important to detect those breaches as soon as possible, stop lateral movement, and limit the damage the attacker can cause. Limiting privileges is sometimes seen as a hindrance to an efficient workflow, but it need not be. By taking that unknowable potential for harm out of users’ hands, you can put them “beyond trust.”
About the Author
With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.