Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

A Guide to Managing and Securing Privileged Users

mm

Written by Chris Smith

March 3rd, 2020

Organizations often have two to three times more privileged user accounts than individual employees. Securing these special accounts is vital to protecting sensitive information and critical systems from cyber attack. To help people stay productive, you must provide appropriate access for privileged users while also minimizing risk.

Privileged users require special handling, training, and oversight.

Read on to learn:

  • How privileged users differ from other types of users.
  • Risks associated with the compromise and misuse of privileged user accounts.
  • How privilege management makes your organization less vulnerable to increasing threats that cause monetary and reputational damage.

You’ll gain a practical understanding of different types of users with a focus on privileged users and privileged user management, including what privileged users are, where they’re located throughout your IT environment, and how they function. Most importantly, you’ll understand the risks associated with privileged users and how to best protect IT systems and sensitive data from external and insider threats.

Key Privileged User Account Definitions

To set the stage, let’s define important terms you need to know about privileged user accounts, and privileged user management.

There are two categories of IT accounts, associated with different types of users:

Standard user accounts: A user account typically represents a human identity (such as an Active Directory user account) and has an associated password to protect information and prevent anyone else from accessing it without permission. There’s usually a single account password per user that needs to be memorized by a person.

Standard users: Standard users are typically business users who don’t require special systems or information to do their jobs. Most employees at large organizations are standard users. They can access applications on their own computers and internal systems such as email and business applications. Standard users have a limited ability to make changes to their company-provided workstations, and don’t have direct access to sensitive systems or data.

Privileged user accounts: Privileged user accounts provide administrative or specialized levels of access to enterprise systems and sensitive data, based on elevated levels of permissions.

Privileged users: These users are often members of the IT team, but they don’t need to be. The typical privileged user is a system administrator responsible for managing an environment, or an IT administrator of specific software or hardware. They need elevated privileges to:

  • Install system hardware/software
  • Reset passwords for others
  • Access sensitive data
  • Make changes in IT infrastructure systems
  • Log into all machines in an environment
Privileged users and elevated privileges

Some people are both standard users and privileged users, depending on the account they use.

In most organizations, IT staff have one user account with standard-level permissions and another user account for performing operations that require elevated permissions. For example, a privileged user account might be used by an IT professional to access internal servers in order to perform an upgrade, modify settings, or conduct general maintenance. They may, in fact, have multiple privileged user accounts which allow them to access different systems and perform different functions.

Local account credentials are attractive assets for cyber criminals

Local privileged accounts are one type of privileged user account many organizations forget. Users who retain local administrative rights to their workstations are in fact privileged users. They have the ability to make configuration changes, add and remove applications and execute programs. This elevated level of account permissions makes local account credentials attractive assets for cyber criminals to target via social engineering and phishing strategies.

Related Reading: View more privileged access definitions.

What’s the difference between a privileged user account and a privileged account?

Privileged user accounts are a subset of privileged accounts. The primary difference between these account types is that a privileged user account is associated with an actual person, while a privileged account doesn’t need to be.

Examples of privileged user accounts which have elevated permissions are:

  • Local or Domain Admin accounts that manage servers
  • Domain Admin accounts that typically control Active Directory users
  • SA accounts, or System Admin accounts, that help manage databases
  • Root accounts that manage Unix/Linux platforms

In contrast, non-human privileged accounts (also called “service accounts”) aren’t directly associated with a unique user. These accounts are used to enable servers, databases and applications to communicate with each other securely across the network.

Examples of non-human privileged accounts which have elevated permissions are:

  • Accounts that run and manage Windows applications, services, and scheduled tasks
  • IIS application pools (.NET applications)
  • Networking equipment accounts that give access to firewalls, routers, and switches

In practice, service accounts like these can be more difficult to discover and secure because they don’t have a unique privileged user responsible for them. If you only focus on the privileged user aspect of privilege management, you will miss what are arguably the most risky types of accounts.

Which leads us to the next question…

Is privileged user management enough? Or, do I need full privileged access management?

Privileged user management, sometimes called PUM, is the process of managing privileged user accounts which are associated with specific assets. For example, a server may only have a single built-in root or administrator account, so rather than giving users elevated permissions to access that server, a privileged user needs to be granted the specific credential to access the server.

In some security circles, PUM is synonymous with privileged identity management (PIM). In both cases, the privileged account is not associated with a particular person, but rather is a transferable digital identity.

Privileged access management (PAM) is much broader than PUM or PIM and thus PAM solutions are more comprehensive. PAM relies on policy-based software and strategies to control which accounts—both human and non-human—can access sensitive systems and information and what types of privileged activities they can conduct.

Privileged accounts rely on credentials to control access and behavior. By creating, storing, and managing privileged credentials (passwords, keys and secrets) in a secure vault, PAM solutions control authorized access of a user, process, or systems to protected resources across an IT environment.

Additionally, PAM includes solutions to manage the full lifecycle of all types of privileged accounts, from discovery and provisioning to rotation, and decommissioning. With PAM you can add layers of oversight, including approvals, session monitoring and recording. Enterprise-level analytics and incident response included in comprehensive PAM allows you to report compliance to auditors and executives, and keep your full IT and security team working together to prevent and respond to privilege security attacks.

Risk management for privileged users

One third of all breaches, regardless of attack type, involve the use of stolen credentials. Last year, 71% of incidents were financially motivated, and 25% were motivated by strategic leverage (i.e., espionage).

Virtually all organizations have some unknown or unmanaged privileged user accounts. Some may have thousands. This can happen for various reasons:

  • An ex-employee’s access was never disabled.
  • An account is utilized less and less often until it becomes obsolete and is abandoned.
  • Default accounts for new devices and workstations were never disabled.

Every unknown or unmanaged privileged user account presents risk.

  • An employee may access it to perform unauthorized tasks, intentionally or unintentionally, violating compliance mandates and increasing your liability.
  • A disgruntled ex-employee who retains privileged access can knowingly gain unauthorized access to restricted data.
  • A cyber criminal can find the account and penetrate your organization, steal information, and wreak untold havoc.

Without proactive management, it only takes one compromised privileged user account to become a catastrophe.

Remember, 56% of breaches took months or longer to discover.

External attacks on privileged user accounts

Cyber criminals are constantly improving their strategies to gain access and wreak havoc. Privileged user accounts, and the credentials that secure them, remain a ripe target.

Of the top breaches last year, internal systems, credentials and personal data were the most common elements hackers attempted to gain access to as part of a breach. Combined, these accounted for about ⅔ of all breaches.

With the foot in the door via user accounts, the real goal is to take over privileged accounts and escalate their access

Most attackers take a methodical, multi-step approach to gain access to your most critical systems and data. They often start by taking over user accounts which are using default or common passwords. This is just the foot in the door they need, since their real goal is to take over privileged accounts and escalate their access to applications, data, and key administrative functions.

Understand the tactics used by cyber criminals to compromise privileged accounts. These include: compromising a local account, capturing a privileged account, performing patient and stealthy recognizance and learning about the normal routines of IT teams, impersonating employees, establishing ongoing access, and causing harm—both in the short-term and over the long haul.

Insider threats to privileged accounts

According to Verizon’s 2019 Data Breach Investigations Report, 34% of breaches are initiated by an insider threat, which could be a disgruntled employee, deliberate insider espionage, or simply due to sloppy security hygiene. Nearly ⅓ of reported incidents were related to privilege misuse, while ⅕ of breaches were due to password misuse.

Insider Threats to Privileged Accounts

Despite these alarming statistics, even in the most sophisticated IT environments, privileged user accounts are all too often managed by using common passwords across multiple systems, unauthorized sharing of credentials, and default passwords that are never changed—making them prime targets for attack.

People are often considered the weakest link in a security strategy

“Privilege abuse is a problem for organizations who fail to implement privileged access management solutions,” writes Thycotic’s Chief Security Scientist, Joseph Carson. He goes on to say, “As a result, their employees have high-level privileges that are typically unnecessary to perform their jobs. These privileges go unmanaged and unprotected, leaving the organization exposed to unnecessary risk.”

“In fact, identity theft has increased by record numbers in recent years and is the primary focus of many cyber criminals,” says Carson. “This is because it’s much easier to steal a trusted insider’s credentials and bypass traditional cyber security controls than it is to break through the firewall.”

Organizations want to do the right thing, yet the complexity of the task makes it a challenge for even the most well-intentioned IT staff. They seek the balance between allowing people to be productive and get their jobs done, while also having the right tools and controls in place to maintain an appropriate level of security.

Password reuse is bad, but people do it anyway

CPO Magazine found that a half to two-thirds of people reuse passwords for multiple accounts, even in the face of high-profile incidents and warnings from technology companies and the media.

Those statistics are bad enough when applied to standard users. Now consider the impact if privileged users do the same.

Steps to secure different types of privileged user accounts

Local Administrator Accounts

  • What is it? Every workstation has an administrator account. The default local administrator account is the first account created. This account gives the user full access and control over the files, directories, services, applications and other resources within the local server. It can also be used to create new local users and assign or modify permissions on the local computer.
  • What’s the risk: This is one of the main culprits of employees being over privileged, since it is often given to employees by default, and grants them excess access which they don’t necessarily need.
  • What to do: Remove default access to this account or rename or disable it to prevent unauthorized use. Enforce least privilege user rights on all computers and servers.

Domain Admin Accounts

  • What is it? The Domain Admin account has full access to almost all resources, including the Active Directory (AD) controller.
  • What’s the risk: Since this is a default on domain controllers, workstations, and member servers, if it’s compromised or misused it has broad access across the network.
  • What to do: Only a limited number of users should be given access to this type of account, and all activity should be actively monitored and routinely audited. Establish a formal approval process to assign “on-demand” access to these accounts.

Privileged Data User Accounts

  • What is it? This is a standard user account that has access to sensitive or privileged data: a broker with access to financial records, an accountant with access to tax documents, a doctor with access to patient data, a lawyer with access to sensitive client information.
  • What’s the risk: Since these are often run-of-the-mill accounts which just happen to have extraordinary access, they may not be monitored or audited, and the password policy may not reflect the sensitive nature of the accounts.
  • What to do: Perform a Data Risk Assessment to identify privileged accounts and the users who have access to them, then take steps to not only harden the application housing the data, but also limit access by regular accounts. Ensure those accounts are subject to higher security scrutiny and protocols.

Emergency / Break the Glass Accounts

  • What is it? In the case of a critical incident, certain users may need access to privileged systems or accounts. In these cases, an emergency account, which is disabled by default, can serve as an alternate way of accessing important systems. These types of accounts are reserved for emergencies, such as a cyber attack, which limits access to usual admin accounts.
  • What’s the risk: Since these accounts have access to sensitive systems when they are enabled, if they’re commandeered by an attacker, they could be used as a back door.
  • What to do: Limit access to these accounts, monitor actively, and ensure they’re only available in case of emergency, and not as a back door to sensitive data or systems.

Strategies for mitigating risks associated with privileged users

Privileged users want to do the right things, but they don’t always have the ability to do so. Your role as a security leader is to empower your privileged users so they can act securely without losing productivity.

Mitigating risks with privileged users

Training

Train all employees—not just privileged users—to recognize suspicious or unsecure behavior and give them ways to say something if they see something. This is especially important when people are faced with more sophisticated social engineering and phishing attacks, and with more personal devices used for business purposes.

Provide privileged access management training to users who are accountable for privileged accounts. The training should emphasize the critical importance of privilege security and include security policies specific to your organization. Make sure you get buy-in from your executive team by educating them as well.

Policy-based controls

Implement a structured security process which details which types of users should have access to which resources.

Share a formal policy for privileged accounts to ensure accountability. Review and update it at least once a year, if not more often. Policies should be based on the categorization and classification of privileged user accounts specific to your organization. Rely on purpose-built security policy documents, don’t start from scratch.

Control new privileged user account creation with a formal review and approval process. The creation of any new privileged user account should be subject to specific reviews and approvals involving a peer or supervisor review.

Privileged account access should be limited by time, geographical location, scope of permissions, and approval needed.

There are some accounts which users might need access to for a limited time. Provide a mechanism for them to request “on-demand” or “just in time” access to these accounts, then revoke access automatically after a specified time has elapsed.

Proactive oversight

Actively monitor and routinely audit any privileged user accounts which have elevated permissions, to spot illicit activity, and to decredential or deprovision user accounts which no longer require elevated permissions.

Evaluate your privileged user accounts to set appropriate expiration dates. This policy helps prevent what’s known as privileged access creep, where users accumulate privileges over time that may not still be required. Review and disable privileged accounts that aren’t appropriate for specific users—especially for accounts used by third-party contractors that are no longer needed.

Perform a data risk assessment to identify privileged accounts that have access to sensitive data, and the users who have access to them, then take steps to not only harden the application housing the data, but also to limit access by regular accounts. Ensure those accounts are subject to higher security scrutiny and protocols.

Never keep default credentials

Change default access credentials when setting up a new account, application, or system. One in five organizations have never changed default passwords, such as “admin” or “12345,” on privileged accounts. These default credentials are a top priority for hackers because they’re so easy to crack.

Least privilege policies

While some users need more rights and responsibilities than regular users, sometimes they are actually over-privileged, which makes them a prime target for attackers.

Enforce least privilege policies on workstations by keeping them configured to a standard user profile and automatically elevating their privileges to run only approved applications. For IT administrator users, control access and implement super user privilege management.

Automated governance

PAM solutions help you proactively manage, monitor, and control privileged user account access.

Too many organizations rely on spreadsheets to keep track of privileged user account passwords and attempt to govern them manually. These practices are inefficient, increase your risk, and are impossible to scale as your organization adds more privileged users.

Take the next step

By understanding the risks associated with privileged user accounts, you can put safeguards in place to ensure people can remain productive while also retaining a strong grip on overall privileged user security.

Learn more about how you can protect privileged user accounts—and all types of privileged accounts—with Thycotic Secret Server.

IT Security should be easy. We’ll show you how.

Try Secret Server and experience how FAST & EASY
IT security products can be.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS