While malware attacks — especially ransomware — seem to make the headlines nearly every day, another serious threat goes largely ignored: privileged user accounts. These powerful accounts can be misused by their owners or taken over and used by attackers, most often to steal the organization’s valuable data. This threat is very real, as evidenced by the highly publicized attacks on corporate giants such as Deloitte, Home Depot, Morgan Stanley and Anthem. According to the 2017 Verizon Data Breach Investigations Report, 25% of breaches involved internal actors and 14% involved privilege misuse. But that’s not the whole story. While attackers often get a foothold through some other means, such as phishing or stolen user passwords, creating or taking over a privileged account is often a vital step in completing their mission.
In this post, we’ll review what privileged accounts are and why they are so dangerous, and touch upon four key things you can do to mitigate the threat they pose.
What is a privileged user account?
A privileged user account is an account that has unlimited permissions to systems (such as cloud services or industrial control systems), user endpoints (such as PCs and mobile devices) or data (such as unstructured corporate intelligence files or customer data stored in databases).
A person using a privileged account might be able to change system configuration settings, read and modify sensitive data, or grant access to critical assets to other users
For example, a person using a privileged account might be able to change system configuration settings, read and modify sensitive data, or grant access to critical assets to other users.
Although the term “privileged user account” might seem to be self-explanatory, many organizations fail to recognize all the types of privileged accounts they actually have, especially since the accounts don’t have the same amount of power. Here are the types of privileged accounts that organizations use most often:
- Domain administrator accounts — These accounts have access to all workstations and servers across a specific domain and can control system configurations, administrative accounts and domain group membership. This is the highest level of control over a system.
- Local administrator accounts — These accounts have administrative control over a particular server or workstation and everything stored there. Many IT departments create a separate local administrator account for each server, to be used for maintenance tasks.
- Application administrator accounts — These accounts have full access to a specific application and the data stored in it. For instance, a database administrator might need to access, manage and configure particular databases.
- Business privileged user accounts — These are personal accounts with high-level privileges assigned in accordance with job responsibilities. These accounts are often created for managers or database operators who work with sensitive information, such as financial or HR data.
- Service accounts — These accounts are created to enable applications to interact with the operating system in a more secure fashion. Typically, service accounts have domain access only if it is required by the application being used.
- Emergency accounts — In case of a disaster or disruptions in application availability, emergency accounts provide otherwise unprivileged users with admin access to secure systems or fix the problem as fast as possible.
What are the challenges in managing the accounts properly?
Who gets to have these types of privileged user accounts? Network administrators, database administrators, application developers and C-level executives are all often granted elevated privileges because they need to work directly with critical data and infrastructure.
While business privileged user accounts are typically assigned to individuals, many of the other types of privileged accounts are usually shared by multiple admins. This common strategy leads to several challenges:
- It can be difficult to hold each person accountable for the actions they take using the privileged account, increasing the likelihood that admins will be less careful than they should when performing their duties, or even risk taking unauthorized actions.
- Password management is often lax. For example, local admin accounts often have the same password across a platform or across the whole organization. Service account passwords are rarely changed, because the same change must be made simultaneously in the dependent systems, which is not an easy task. Such failures to enforce strong password management increase the risk that attackers will gain control of a powerful account.
- Proper account deprovisioning can be overlooked. For instance, once local admin accounts are created for maintenance, admins often forget to delete them. This leaves the privileged account ripe for attackers to exploit.
Why are privileged user accounts so dangerous?
Privileged user accounts are dangerous because they are so powerful, and that power can be misused in several different ways:
- Unintentionally — Because users with privileged accounts have access to critical systems and data, any mistake they make can have serious consequences. For instance, a privileged user might make an unauthorized modification to critical data without thinking through the consequences, or grant a user access to a file share that stores sensitive data without checking whether there is a legitimate business need, putting that data at risk.
- Maliciously — Because privileged accounts have legitimate access rights, malicious actions can be difficult to spot — if the organization even makes the attempt. Often, these users enjoy high levels of trust from the organization, which can lead to the mentality that they are somehow “above the law,” and not subject to the security restrictions that apply to other employees. As a result, their actions may not even be closely monitored. Plus, these users often have the expertise to defeat controls and do maximum damage while hiding their tracks, and as noted earlier, shared and reused passwords can make holding individuals accountable for their actions very difficult.
- By attackers — Privileged accounts are also a top target for cyber criminals, who will attempt to obtain the powerful credentials using a variety of techniques, from phishing to brute force to coercion. The legitimate owner or user of the account might not even realize the account has been hijacked until it’s too late. Attacks often unfold like this: A hacker breaches the perimeter, takes control of a user’s PC, silently steals any privileged credentials cached there, and then moves from machine to machine looking for additional privileged users to hijack. In fact, hackers often dwell in the network undetected for months, steadily elevating their privileges until they are powerful enough to steal the organization’s intelligence.
How can you mitigate the risk of privileged account abuse?
Specifically, to tackle the threat of privileged users in accordance with industry best practices, you need the following:
- Efficient privileged account management — Ensure that privileged users in your IT environment have only the access rights they need to do their jobs.
- Control over access to privileged user accounts — Protect your privileged accounts from unauthorized use with strong password management and techniques such as multi-factor authentication.
- Privileged user monitoring — Gain visibility into the actions of privileged users to catch privilege abuse or external attacks quickly and limit the damage. Simply letting users know that user activity monitoring is in place can also go a long way towards deterring misbehavior and even preventing accidental misuse, since users are likely to be more careful about their actions.
- User behavior analytics — Identify the privileged users with the most suspicious behavior so you can respond in time by discovering and investigating anomalies in user behavior patterns.
Incorporating these best practices into your core security strategy will help you combat the misuse of privileged accounts by owners and attackers alike, as well as harden your overall security posture. Stay tuned for more on how to detect and minimize the risk of privilege abuse in the coming weeks.