The Australian Cyber Security Centre's (ACSC) "Essential Eight" is a helpful resource for IT heads tasked with the responsibility of planning and executing their organisation's cyber security strategy. Though compiled with Australian federal and state agencies in mind, this guide lays out a baseline defense plan in the form of a list of mitigation strategies to help organisations protect their systems against a range of cyber threats.
One of these strategies includes restricting administrative privileges, which is vital to an organisation's IT security. As it happens, hackers—while looking for a way into an organisation's network—often look for vulnerable users with administrative privileges. Any hacker who lands upon an unused privileged account can gain access to pretty much everything that the account owner has access to. This is why privileged user accounts are considered the "keys to the kingdom."
The ACSC isn't the only institution asserting the importance of managing privileged accounts and restricting access privileges; there are a number of other firms and security experts continuously lobbying for privileged access management (PAM). Gartner, at its Security and Risk Management Summit in June, laid out the top 10 security projects that chief information security officers (CISOs) should concentrate on in 2018, among which PAM stood first. However, despite these steady reminders, many privileged accounts still remain poorly protected, ignored, or mismanaged, making them easy targets. With that in mind, here's a list of essentials policies that every IT manager or security administrator should implement to protect privileged accounts.
1) Track and consolidate all privileged accounts—old and new—with an automated discovery mechanism.
The first step to secure and manage your organisation's privileged accounts is to discover all critical assets on your corporate network, as well as the associated accounts and credentials. As your organisation grows and expands its infrastructure, you should ensure that your IT team is equipped with a strong discovery mechanism to tackle the proliferation of privileged accounts and keep track of them. Running a fully automated program that regularly scans your network, detects new accounts, and adds them to a central database is the best way to build a strong foundation for your PAM strategy.
2) Store privileged accounts in a secure, centralized vault.
Do away with localised, siloed databases that are often maintained by various teams. More importantly, make sure employees stop writing down passwords on sticky notes or storing passwords in plain text files. These practices are dangerous and lead to increased instances of outdated passwords and coordination issues, resulting in operational inefficiency. Instead, privileged accounts and credentials belonging to all departments should be catalogued into one centralised repository. Further, protect your stored privileged accounts with well-known encryption algorithms such as AES-256 to protect against unwanted access.
3) Establish clearer roles with limited access privileges.
Once your organisation's privileged accounts are securely locked in a vault, it's time to decide who should have the keys. As ACSC puts it, "restrict administrative privileges to operating systems and applications based on user duties." You can do this by charting clear roles for the members of your IT team and making sure that privileged accounts are not used for routines such as reading email or web browsing; that each member's role gives them only the minimum required access privileges.
4) Require multi-factor authentication for employees and third parties alike.
According to Symantec’s 2016 Internet Security Threat Report, 80 percent of breaches can be prevented by using multi-factor authentication. Implementing two-factor or multi-factor authentication for both PAM administrators and end users will guarantee that only the right people have access to sensitive resources.
5) Share privileged account credentials without revealing them in plaintext.
Beyond eliminating security vulnerabilities related to loose role division, it's also important to implement secure sharing practices. For ultimate protection, your organisation's PAM administrator should be able to provide employees or contractors access to IT assets without disclosing the credentials in plain text. Users should instead be allowed to launch one-click connections to target devices from the PAM tool's interface, without viewing or manually entering the credentials.
6) Enforce strict policies for automatic password resets.
Convenient as it may be for IT teams to use the same password for every privileged account on the network, this is an unhealthy practice that ultimately fosters a fundamentally insecure environment. Secure management of privileged accounts requires the use of strong, unique passwords that are periodically reset. You should make automatic password resets an integral part of your PAM strategy to get rid of unchanged passwords and protect sensitive resources from unauthorised access.
7) Fine-tune your access policy by adding release controls for password retrieval.
Establish a policy that forces users to send a request to your organisation's PAM administrator whenever they require specific account credentials to access a remote asset. To further reinforce control, provision users only with temporary, time-based access to these credentials, with built-in options to revoke access and forcefully check in passwords when the stipulated time expires. For further security, you can also automatically reset passwords once users check them in.
8) Stop embedding credentials within script files.
Many applications require frequent access to databases and other applications to query business-related information. Organisations often automate this communication process by embedding the application credentials in clesar text within configuration files and scripts, but it's hard for administrators to identify, change, and manage these embedded passwords. As a result, the credentials are simply left unchanged to not hinder business productivity. Hard-coding credentials may make technicians' jobs easier, but they're also an easy launch point for hackers looking to make their way into an organisation's network. Alternatively, your IT team can use secure APIs to allow applications to query your PAM tool directly when they need to retrieve privileged accounts for another application or a remote asset.
9) Make sure everything is audited.
When it comes down to it, comprehensive audit records, real-time alerts, and notifications are really what make life easier. Capture every single user operation and establish accountability and transparency for all PAM-related actions. An integration with an in-house event logging tool can also help by consolidating PAM activities with other events from the rest of your organisation and providing intelligent tips about unusual activities. This proves extremely useful in acquiring a comprehensive overview of security events and detecting breaches or insider exploits.
Executing these nine policies isn't going to be an end-all solution to security—there's always more to be done. According to Verizon's 2018 Data Breach Investigation Report, of the 2,216 confirmed data breaches in 2017, 201 were due to privilege abuse. A statistic like that should highlight the importance of not only protecting privileged accounts, but also recording and monitoring privileged sessions to stay vigilant and detect unusual access. Your privileged account management strategy should support your strategy to control privileged access to your critical assets, which should support your identity and access management plan, and so on. That's the best way to protect an organisation; keep widening your boundaries and securing those boundaries, because the war against cybercriminals is unending.