November 3, 2015 | Security and Risk | Gerrit Lansing
Three measures to protect privileged accounts
Benjamin Franklin once famously said, “An ounce of prevention is worth a pound of cure.” Cyber attacks are now common worldwide – Anthem, Carphone Warehouse, the German parliament, K Box Singapore, Sony Pictures, TV5Monde and the U.S. Office of Personnel Management (OPM) – and they take a tremendous economic toll. Industry estimates show that malicious cyber activities worldwide cost $300 billion to $1 trillion in losses annually.
The world’s top cyber investigators continue to see a common thread across these dangerous, targeted attacks and security breaches: the exploitation of privileged accounts. These accounts grant extensive control over sensitive data and IT systems, they’re pervasive in every organization, they’re often overlooked and therefore present a path of least resistance, and they can be powerful weapons in the wrong hands.
As the leader of CyberArk’s consulting services, my team and I regularly work with organizations, during and immediately following security incidents, to rapidly introduce controls on privileged accounts. Lessons learned from these events can be used to proactively protect against threats. Experience shows the recommendations really aren’t optional; it’s just a matter of time before organizations will have to implement them, and if it’s in response to a breach, it will be more painful.
At a high level, there are three recommended measures every company should take to proactively protect privileged accounts:
- Reduce the attack surface. The sheer volume of existing privileged accounts makes effective controls unwieldy and this creates an easy path for attackers. Don’t make it easy for them; reduce the number of privileged accounts – both shared and personal.Review your sensitive groups – think “Domain Admins” – and fiercely question whether the privilege is necessary. Eliminate accounts entirely where possible. Personal privileged accounts are difficult to control. They possess the same privileges as your shared accounts, but also face the classic challenges of human identity management.
For our customers, we recommend removing personal privileged accounts and replacing them with shared accounts via CyberArk technology. Ultimately, these accounts require the same level of control, and this approach reduces IdM overhead and vastly improves security.
- Isolate sensitive assets and accounts. Sensitive assets and highly privileged accounts should never be accessed directly from workstations. Workstations are often an attacker’s beachhead, and determined attackers can find ways to reach them. Preventing privileged accounts from crossing trust levels, i.e. not using the same account to access servers and workstations, and isolating sensitive assets by restricting access to a highly secure working environment is essential to contain an attacker’s ability to complete their mission.
- Protect privilege with strong authentication. Deploying native two-factor authentication integrations across all technology platforms is complex, time consuming, and for legacy (and often business critical) technologies often exceedingly difficult. Despite these challenges, deploying strong authentication is essential to protect systems and sensitive data.
For our customers, we recommend isolating privileged sessions and replacing personal privileged accounts with CyberArk-controlled shared accounts. This can simplify the strong authentication objective by being the intermediary for privileged access and thereby enforcing strong authentication requirements across the board.
For additional tips on protecting privileged accounts, you can also read our Best Practices Guide: The Three Phases of Securing Privileged Accounts.