Securing Privileged Accounts – A Best Practices Guide part 3
April 24, 2014 | Uncategorized | CyberArk
CyberArk recently released The Three Phases of Securing Privileged Accounts – a maturity model providing a simple, yet effective, framework for applying the best security strategy for privileged accounts in any environment. In the last post – we looked at the baseline best practices in the maturity model. This post will examine best practices for a company in the middle of the maturity model.
If your business understands the pervasiveness and power of privileged, you likely have some of the basic controls in place. Here are best practices for companies who consider themselves beyond the initial step of protecting privileged accounts – the middle of the maturity model.
Best Practices – Medium Effective Maturity
- Automatically Changing Privileged Account Passwords on a 30 or 60-day Cycle: Privileged passwords should be systematically changed on a regular schedule and should be complex, difficult to guess, and unique among accounts. Password policies, however, should not be so complex in that it encourages bad behavior such as writing down passwords.
- Use One-Time Passwords: These are passwords that are valid for only one login session or transaction. Frequently changing passwords, as frequently as after every use, makes them much harder for hackers to identify and steal. This approach significantly mitigates risk of attack (reference our Heartbleed post for a great example).
- Recording Privileged Sessions: This is especially important for any session involving a key asset, server or when third-party access is concerned. Recording privileged sessions allow companies for instantaneous playback to ascertain exactly the point of a breach or malicious behavior.
- Eliminating Human Login for Service Accounts: Allowing service accounts to be used interactively presents a significant vulnerability that can be eliminated with relative ease once an inventory of accounts is established.
- Automate Changing Hard-Coded and Embedded Passwords: Implement a process to change hard-coded or embedded passwords for scripts and service accounts. Without proper processes in place, changing hardcoded passwords can easily break something in the infrastructure. An automated system to change embedded passwords in scripts and service accounts can increase security without introducing risk.
- Focused Auditing of Admin Privileged Functions – Monitor for Anomalous Behavior: Logging all user activity and generating alerts on unusual behavior provides additional information on privileged account access and use. Integrating with the security teams can help to dramatically reduce the speed of reviews and investigations of potential incidents and/or violations.
In our last post on this topic, we’ll look at the maturity model for organizations in the far right of the spectrum of privileged account security – looking at what the most advanced and secure organizations are doing to lock down privileged accounts.