A cyberattack is actually like a disease. The infection starts with an attacker taking advantage of some weakness in the system to penetrate and gain a foothold in an organ; in the case of an attack, the organ is often some computer that’s not being diligently managed. The infection takes control of the machinery of the organ, using it to build up its strength and using it as a base to launch incursions into other parts of the network. The incursions probe for valuable information and other weaknesses they can leverage. One of the main things they look for is abandoned system accounts, which are like critical cells that can be used to perform highly privileged actions on their targets.
I was talking to my friend and colleague, Paul Lanzi, who is the COO of Remediant, a leading provider of privileged access management solutions. He was telling me that their initial presentation goes something like this: They ask the prospect’s security person is he or she know how many privileged accounts are active on the enterprise network. Typically the response is something less than one hundred. They then give Remediant permission to run their scanner, part of the company’s SecureONE platform, which continuously monitors networks for usage of privileged credentials. The scanner usually finds ten times the number of privileged accounts the security team thought were active, and sometimes the number is much higher than that.
This goes to the fact that privileged accounts are typically poorly managed. Employees or Contractors move into roles that requires certain privileges and are granted administrative accounts for a set of resources. Often these are generic accounts that provide far more privilege than the individual really needs or ever uses. Later the individual leaves the organization but the account remains. Sometimes the account is deactivated, but reactivation only requires the ability to manage users in some directory. Once an attacker has a privileged credential it is often easy for that attacker to create more.
Privileged Access Management solutions are designed to address this challenge. What you want is to grant only the privileges required to perform a particular administrative operation on an operating system, network device, and only grant them for a temporary period of time. The session should be logged. Ideally, it will be possible for to watch the privileged session over the virtual shoulder of the person performing it. This is an area where unless you are a pretty large, sophisticated enterprise, you probably need to buy tools. I was at an OWASP presentation not long ago where a representative of a large Silicon Valley information company talked about their internally developed tools in this area; I wondered why they were doing that, given the variety of credible products in the marketplace. In Silicon Valley folks figure they can do anything.
Privileged Access Management is a crowded marketplace. Most of the vendors in this space have published a best practices guide, and if you are starting the process of evaluating solutions in this area, you should review them. Here are links to a few:
“Privileged Access Security for Dummies” eBook – CyberArk Special Edition (registration required)
Gartner 10 Best Practices for Privileged Access Management, available from Centrify (registration required)
Gartner Market Guide for Privileged Access Management, via One Identity, but available from multiple vendors with registration.
I actually read all this material and talk to all the vendors in this space. Given my background, I can provide much of the value of a Gartner consultant at a fraction of the cost. I’d be happy to offer a no-charge initial consultation if you are starting down the path of trying to identify the right solution for your organization.