With evolving and steadily increasing cyber-attacks, many organizations are not taking steps to stop the abuse of privileged credentials

A recent survey from Centrify, a privileged access management (PAM) company, suggested that of the 1,000 IT decision makers surveyed in the U.S. and U.K., 74% of breaches involved access to a privileged account.

Background:

A privileged account is a user account that has more privileges than ordinary users. Privileged Access Management (PAM) is the management over those privileged accounts/credentials.

With evolving and steadily increasing cyber-attacks, many organizations are not taking steps to stop the abuse of privileged credentials, and don’t have proper controls in place around PAM. Many companies are not taking into consideration is that there are external attackers which can exploit and compromise invalid, and sometimes even valid credentials. The most common privileged credential attack vectors are the following:

• By using shared accounts, a hacker or malicious insider can get a hold of this common, shared password, and gain access to systems and the network.
• Not changing specialized privileged accounts (service or process accounts), the reusable password could fall into the wrong hands.
• Social engineering and phishing attacks could give a hacker elevated rights into the network by clicking on an unknowingly wrong link.
• Weak passwords can allow hackers perform brute force attacks, compromising passwords and allowing unauthorized network access.
• If default passwords to systems (i.e. servers, network gear, etc.) aren’t changed, they may be an easy access point for a hacker.

Most, if not all organizations today use Microsoft’s Active Directory (AD) solution if their environment consists of mainly Microsoft servers and devices. AD helps the organization manage servers, computers and other devices on a network, and allows any established administrators to manage those devices, the domain network and users created within the network. However, there may be systems or devices which are not controlled within AD, such as databases, applications, and networking devices. Organizations should be mindful of what systems and devices are not within AD control. All access (including general network users and administrative access) should be assigned as least privileged. Least privileged is the concept of restricting access rights for any user and/or accounts to only those resources absolutely required or needed to complete its task.

Privileged Access Management (PAM) is a solution that can help organizations restrict access within an existing environment. Controls around PAM are important because there are some administrators within organizations which will not change passwords unless prompted, or organizations will allow administrators or C-Suite personnel to bypass the controls in place. Important controls to have in place around PAM include privileged password management, and use a separate account for administrators, general day-to-day use, and administrative functions. Each account should have the lowest possible privileges, and user activity on all accounts should be monitored. As part of a comprehensive organization’s comprehensive incident response plan, procedures should be in place to address a situation in which a privileged account is taken over by an outside attacker or a malicious insider.

How many privileged accounts do you have at your organization?

Can you easily think of how many privileged accounts you have at your organization, and who specifically has access to these accounts? Part of having a comprehensive understanding of your security and risk involves regular review of privileged accounts. Other questions which should be asked to ensure these accounts are secure include:

• Are administrators sharing root or privileged accounts to systems?
• Does your organization not use a password vault?
• Is it more than 24 hours after an administrator leaves the company that their accounts are turned off or disabled?
• Is multi-factor authentication not being used for authenticating into these privileged accounts?
• Can you act quickly when a suspicious privileged account use occurs?

If any answer to the above questions is yes, then too much privileged access may be granted, and that access should be re-assessed and re-evaluated. According to Symantec’s ITSR 2019 Report, email users working in the public administration sector receive one malicious email for every 302 emails they receive.

What can an organization do to protect themselves?

Below are more processes or controls that an organization can do to protect themselves and determine if any privileged accounts are at risk.

• Assess the current situation at their organization
• Identify all privileged accounts and credentials
• Classify types of privileged accounts and access by risk
• Control and secure the highest risk accounts first
• Track each account, ensuring to audit and record privileged activity
• Govern and control access to each privileged account
• Deploy an enterprise password management across the entire environment
• Remove local admin rights from all end users
• Assess any vendor privileged accounts and then manage under Vendor Privileged Access Management (VPAM)

What if your organization doesn’t make the change?

If your Organization does not begin to assess and secure its IT environment by tightening controls around PAM, it could lead to the following:

• Vulnerability susceptibility
• Unauthorized privileged escalations, or inappropriate actions occur without knowledge
• Misuse of Personally Identifiable Information (PII)
• Spear Phishing Attack Susceptibility
• Computing System Downtime
• Increase in IT costs

What can Freed Maxick do for you?

If in doubt, or to learn more about controls or procedures around PAM your company, contact our dedicated team of professionals that focus and provide PAM assessments on a national basis.

Assistance and Guidance from Freed Maxick

The Freed Maxick Covid-19 Resource Center has a wealth of information and guidance on a wide range of topics related to tax relief and benefits, regulatory relief and benefits, and business continuity in the era of Covid-19.

Click on the button to explore insights, observations and updates.

If you wish additional guidance, we are available to discuss your issues and concerns. Connect with us by email at COVIDResponse@freedmaxick.com or call Freed Maxick at 716.847.2651.

Please keep in mind that due to the quickly-changing nature of the COVID-19 pandemic, you should always discuss changes with your Freed Maxick advisor or legal counsel.