Securing Privileged Accounts – A Best Practices Guide

InternetSecurity2-600-200px

Cyber attackers exploit privileged accounts every day, in organizations of all sizes. The BlackPOS attack on retailers, Edward Snowden and recent U.S. tax return crime wave are all great examples.

These accounts are the most powerful in any organization – which is why attackers seek to exploit them in every advanced attack. Given the preponderance of privileged-based attacks, it’s time for best practice security procedures to be updated – which is why we published a new paper today, The Three Phases of Securing Privileged Accounts.

We’ll also be posting excerpts to the blog.  To kick-off the series, today we’ll look at the identifying exactly what these accounts are.

What is a Privileged Account?

Privileged accounts are valid credentials used to gain access to systems. The difference is that they also provide elevated, non-restrictive access to the underlying platform that non-privileged user accounts don’t have access too.

These accounts are designed to be used by sysadmins to deploy and manage IT technology, like operating systems, network devices, applications and more. They are the proverbial keys to the infrastructure – which is why attackers or malicious insiders seek to steal them. They basically provide access to just about everything.

We use the term ‘privileged account’ interchangeably, but here are the most common privileged accounts found across an environment:

  • Local Administrative Accounts:  These non-personal accounts provide administrative access to the local host. These accounts are typically used by IT staff to perform maintenance on workstations, servers, network devices, databases, mainframes, etc. Often, they have the same password across an entire platform or organization. This shared password, used across thousands of hosts, creates soft targets that advanced threats routinely exploit.
  • Privileged User Accounts:  These are credentials that give administrative privileges on one or more systems. This is typically one of the most common forms of privileged account access granted on an enterprise network.  These accounts usually have unique and complex passwords, and the power they wield across managed systems makes it necessary to continuously monitor their use.
  • Domain Administrative Accounts:  These accounts give privileged administrative access across all workstations and servers within a Windows domain. While these accounts are few in number, they provide the most extensive and robust access across the network. With complete control over all domain controllers and the ability to modify the membership of every administrative account within the domain, a compromise of these credentials is often a worst case scenario for any organization.
  • Emergency Accounts:  These provide unprivileged users with administrative access to secure systems in the case of an emergency and are sometimes referred to as ‘firecall’ or ‘breakglass’ accounts. While access to these accounts typically requires managerial approval for security reasons, it is usually a manual process that is inefficient and lacks any auditability.
  • Service Accounts: These can be privileged local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have domain administrative privileges depending on the requirements of the application they are being used for. Local service accounts can interact with a variety of Windows components which makes coordinating password changes difficult.  This challenge usually means the passwords are rarely changed – representing a significant risk across an enterprise.
  • Application Accounts: These are accounts used by applications to access databases, run batch jobs or scripts, or provide access to other applications. These privileged accounts usually have broad access to underlying company information that resides in applications and databases. Passwords for these accounts are often embedded and stored in unencrypted text files, a vulnerability that is replicated across multiple servers to provide greater fault tolerance for applications. This vulnerability represents a significant risk to an organization because the applications often host the exact data that APTs are targeting.

In the next post, we’ll start to breakdown three maturity models, using best practices as a guide.

Leave a Reply


Your email address will not be published. Required fields are marked *

You must be logged in to post a comment.