Privileged access management (PAM) is one of the biggest priorities for security teams, but it brings some difficult challenges. Privileged users — your IT administrators or business super users — hold the keys to the organization’s crown jewels, or your network, systems and sensitive data.
As a result, threat actors actively target privileged accounts as an entry point to move throughout an IT environment, compromising systems and stealing sensitive company and customer data. That’s why the misuse and abuse of privileged credentials is a major concern for IT security professionals. Stringent security and compliance requirements are often put in place as a result, which can create a lot of work for IT teams to document privileged account use for audits, manually update credentials, and keep track of privileged users and their entitlements.
There must be a better way — but where do you start, and how do you know if your privileged accounts are at risk?
5 Questions to Help You Protect Privileged Accounts
As a first step, determine whether you are managing privileged credentials effectively to mitigate the risks of a privileged account attack. Below are five questions to help you improve your ability to discover privileged credential misuse and refine your incident response plans for such attacks.
1. Do You Have Visibility Into Your Privileged Access Risks?
Many organizations simply don’t know the full breadth of privileged credentials that exist in their IT environment until they conduct an eye-opening compliance audit. Privileged access is often a highly manual and outdated process managed with spreadsheets or insecure cloud applications.
Unknown privileged accounts in the IT environment can cripple an organization because they often lead to undetected cyberbreaches. In fact, a Forrester study found that 80 percent of data breaches involve the use of privileged account access. If an organization doesn’t have clear visibility into all its privileged accounts, there’s a higher likelihood that such a breach will go undetected.
Even if you are adequately managing privileged access in your current environment, your security team may not be prepared to apply the right controls to new applications and systems. Even sophisticated organizations often lack a systematic way to manage the deployment of new assets into the IT environment and their associated security controls.
2. Can You Adequately Secure Privileged Credentials?
Once you know what types of privileged accounts you have, you may find that your accounts are not adequately secured. Find out if privileged credentials are shared frequently among your IT admins. If credentials are visible to the end-user admins, that’s a red flag for significant risk.
Passwords and secure shell (SSH) keys that are static or reused can also pose potential risks. Passwords and SSH keys need to be rotated, randomized and expired regularly. A threat actor can execute many types of attacks, such as phishing, man-in-the-middle (MitM) and pass the hash, using static passwords to obtain root access to your systems and data.
Does your organization have a policy of least privilege? Least privilege means giving users the minimum entitlements needed to accomplish their intended tasks. Users should log into their systems and environments as normal users by default and receive elevated privileges only for as long as is needed to execute a privileged action. Organizations that don’t have a policy of least privilege may be putting privileged accounts at serious risk.
Another area to review is multifactor authentication (MFA) and authorization controls. These solutions can make it more difficult for attackers to misuse privileged credentials, but they can be costly to deploy across your entire environment. Many legacy systems may not even support modern MFA capabilities without expensive upgrades. A robust PAM solution can help you sidestep this issue; you just need to protect the credential vault with MFA rather than retrofitting every legacy system.
3. Can You Detect Inappropriate Privileged Account Use?
Another key question is whether you have the ability to monitor privileged accounts for unusual behaviors and log activity information for review.
Detecting inappropriate privileged account use starts with monitoring. Once that access data is available, threat analytics can be applied to privileged accounts to establish a baseline of normal behavior, catch deviations and trigger alerts. Scoring algorithms can be used to categorize normal behavior, taking into account the patterns of individual users and their activities. These algorithms can then pick up deviations from the norm and categorize their severity with a risk score. If you set the right thresholds, the risk score can kick off an alert and an incident response plan.
The ability to quickly identify these malicious behaviors is key. The faster you detect them, the faster you can respond to privileged account attacks.
4. Can You Act Quickly When Suspicious Privileged Account Use Occurs?
Are your incident response practices and workflows ready to address a scenario in which a privileged account is hijacked by an attacker or malicious insider? Can you automatically shut down a privileged session based on unusual activity, or are you relying on a manual process?
Having the right controls in place to immediately react to a risk factor can prevent an attack from escalating. By contrast, a manual process means you are dependent on the response time of an analyst to stop a threat, which could leave the attacker enough time to cause irreparable harm.
5. Can You Recover Privileged Credentials After an Incident?
In the event of stolen data records or system failure, you need to be able to recover and restore critical data quickly. Either way, the PAM solution needs to be robust and include break-glass procedures to allow access to critical systems in the event of a failure.
However, this is not easy because it requires coordination across multiple teams, so everyone uses the same playbooks. If you don’t have high availability and redundancy set up for PAM systems, your privileged accounts are likely at risk too.
Threat actors that successfully obtain privileged credential access may be able to change passwords, locking your admins out of critical systems and applications. A recovery of privileged credentials allows your organization to maintain control of these accounts in the event of a cyberattack.
A Comprehensive Approach to Privileged Access Management
Answering these five questions and acting on them to protect privileged accounts requires a comprehensive approach to privileged access management. Privileged account attacks can quickly escalate from an undetected security incident into a full-blown data breach. That’s why it’s crucial to develop a methodical and strategic process for managing privileged access. Doing so narrows your overall attack surface and improves your security posture.