Identity & Access September 18, 2018
By Marc von Mandel 4 min read

Privileged access management (PAM) is one of the biggest priorities for security teams, but it brings some difficult challenges. Privileged users — your IT administrators or business super users — hold the keys to the organization’s crown jewels, or your network, systems and sensitive data.

As a result, threat actors actively target privileged accounts as an entry point to move throughout an IT environment, compromising systems and stealing sensitive company and customer data. That’s why the misuse and abuse of privileged credentials is a major concern for IT security professionals. Stringent security and compliance requirements are often put in place as a result, which can create a lot of work for IT teams to document privileged account use for audits, manually update credentials, and keep track of privileged users and their entitlements.

There must be a better way — but where do you start, and how do you know if your privileged accounts are at risk?

5 Questions to Help You Protect Privileged Accounts

As a first step, determine whether you are managing privileged credentials effectively to mitigate the risks of a privileged account attack. Below are five questions to help you improve your ability to discover privileged credential misuse and refine your incident response plans for such attacks.

1. Do You Have Visibility Into Your Privileged Access Risks?

Many organizations simply don’t know the full breadth of privileged credentials that exist in their IT environment until they conduct an eye-opening compliance audit. Privileged access is often a highly manual and outdated process managed with spreadsheets or insecure cloud applications.

Unknown privileged accounts in the IT environment can cripple an organization because they often lead to undetected cyberbreaches. In fact, a Forrester study found that 80 percent of data breaches involve the use of privileged account access. If an organization doesn’t have clear visibility into all its privileged accounts, there’s a higher likelihood that such a breach will go undetected.

Even if you are adequately managing privileged access in your current environment, your security team may not be prepared to apply the right controls to new applications and systems. Even sophisticated organizations often lack a systematic way to manage the deployment of new assets into the IT environment and their associated security controls.

2. Can You Adequately Secure Privileged Credentials?

Once you know what types of privileged accounts you have, you may find that your accounts are not adequately secured. Find out if privileged credentials are shared frequently among your IT admins. If credentials are visible to the end-user admins, that’s a red flag for significant risk.

Passwords and secure shell (SSH) keys that are static or reused can also pose potential risks. Passwords and SSH keys need to be rotated, randomized and expired regularly. A threat actor can execute many types of attacks, such as phishing, man-in-the-middle (MitM) and pass the hash, using static passwords to obtain root access to your systems and data.

Does your organization have a policy of least privilege? Least privilege means giving users the minimum entitlements needed to accomplish their intended tasks. Users should log into their systems and environments as normal users by default and receive elevated privileges only for as long as is needed to execute a privileged action. Organizations that don’t have a policy of least privilege may be putting privileged accounts at serious risk.

Another area to review is multifactor authentication (MFA) and authorization controls. These solutions can make it more difficult for attackers to misuse privileged credentials, but they can be costly to deploy across your entire environment. Many legacy systems may not even support modern MFA capabilities without expensive upgrades. A robust PAM solution can help you sidestep this issue; you just need to protect the credential vault with MFA rather than retrofitting every legacy system.

3. Can You Detect Inappropriate Privileged Account Use?

Another key question is whether you have the ability to monitor privileged accounts for unusual behaviors and log activity information for review.

Detecting inappropriate privileged account use starts with monitoring. Once that access data is available, threat analytics can be applied to privileged accounts to establish a baseline of normal behavior, catch deviations and trigger alerts. Scoring algorithms can be used to categorize normal behavior, taking into account the patterns of individual users and their activities. These algorithms can then pick up deviations from the norm and categorize their severity with a risk score. If you set the right thresholds, the risk score can kick off an alert and an incident response plan.

The ability to quickly identify these malicious behaviors is key. The faster you detect them, the faster you can respond to privileged account attacks.

4. Can You Act Quickly When Suspicious Privileged Account Use Occurs?

Are your incident response practices and workflows ready to address a scenario in which a privileged account is hijacked by an attacker or malicious insider? Can you automatically shut down a privileged session based on unusual activity, or are you relying on a manual process?

Having the right controls in place to immediately react to a risk factor can prevent an attack from escalating. By contrast, a manual process means you are dependent on the response time of an analyst to stop a threat, which could leave the attacker enough time to cause irreparable harm.

5. Can You Recover Privileged Credentials After an Incident?

In the event of stolen data records or system failure, you need to be able to recover and restore critical data quickly. Either way, the PAM solution needs to be robust and include break-glass procedures to allow access to critical systems in the event of a failure.

However, this is not easy because it requires coordination across multiple teams, so everyone uses the same playbooks. If you don’t have high availability and redundancy set up for PAM systems, your privileged accounts are likely at risk too.

Threat actors that successfully obtain privileged credential access may be able to change passwords, locking your admins out of critical systems and applications. A recovery of privileged credentials allows your organization to maintain control of these accounts in the event of a cyberattack.

A Comprehensive Approach to Privileged Access Management

Answering these five questions and acting on them to protect privileged accounts requires a comprehensive approach to privileged access management. Privileged account attacks can quickly escalate from an undetected security incident into a full-blown data breach. That’s why it’s crucial to develop a methodical and strategic process for managing privileged access. Doing so narrows your overall attack surface and improves your security posture.

Register for the webinar to learn how to narrow your privileged account attack surface

 |  |  |  |  | 
Marc von Mandel
Product Marketing Manager, IAM & Product Professional Services

More from Identity & Access
September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

July 18, 2023

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

May 24, 2023

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature