Every organization has privileged users — employees, subcontractors, and even customers — who are authorized to access critical applications and sensitive data. But those elevated privileges make organizations vulnerable: if a privileged user makes a mistake or an attacker gets access to a privileged account, it puts your most valuable data at risk. According to Centrify’s Privileged Access Management in the Modern Threatscape survey of 1000 IT decision-makers in the U.K. and U.S., compromised credentials of privileged users were involved in 74% of data breaches faced by respondents.
In this article, we go over the five most common inadvertent mistakes made by privileged users. We tell you why people tend to make these mistakes and give some advice on how to prevent privileged users from becoming inadvertent insider threats.
The danger of inadvertent mistakes
People make mistakes. The problem is that even when actions are unintentional, they can cause serious damage to your organization. For instance, if one of your employees inadvertently causes a data breach, your company will lose not only sensitive data but also money (both in fines and lost revenue) and reputation.
The 2018 Cost of Insider Threats report by the Ponemon Institute states that inadvertent insiders — those who cause damage to their organizations unintentionally — are responsible for 64% of all security incidents.
But human error becomes even more dangerous when the error is made by a privileged user. Privileged users can be either humans or system-related identities: applications, programs, or processes. But while machines and applications do what they’re explicitly programmed to, people don’t always play by the rules.
Having access to the most critical resources of your company, privileged users can cause massive data leaks, halt or crash critical processes, and even prevent your entire IT infrastructure from operating properly.
This is why privileged user management is one of the key requirements of NIST, HIPAA, and other security standards and industry regulations. It’s also why you should be aware of the most common mistakes made by privileged users. With this knowledge, it will be easier for you to prevent privileged users from making these mistakes so you won’t have to deal with the negative consequences later.
5 unintentional mistakes of privileged users
Most mistakes made by users, both regular and privileged, are caused by ignorance or negligence. Some people don’t know or don’t understand the true importance of cybersecurity policies. Others break the rules to simplify or speed up routine processes without thinking about the consequences.
Let’s take a look at five mistakes privileged users tend to make.
1. Mismanaging passwords
Passwords are the keys that protect your sensitive data, systems, and applications from intruders. There are a number of recommendations for managing passwords securely, including using complex combinations of letters, numbers, and symbols instead of default easy-to-guess passwords and regularly rotating all passwords. Unfortunately, while many people know about these recommendations, few bother to follow them.
Here are the five most common password management-related mistakes to watch for in your privileged users’ daily routines:
Using default credentials. Many organizations still use default credentials for privileged user accounts. For instance, they may use the word “admin” as both the login and password to the sys admin account. However, a secure password shouldn’t be easy to guess; otherwise, your privileged accounts will be extremely vulnerable to brute force attacks.
Using weak passwords. Similar to default credentials, weak passwords fail to accomplish their main purpose — to protect an account from unauthorized access. Passwords can be considered weak if they’re short (six symbols or less) and easy to guess (names, birthdates, phone numbers, and so on).
Using the same password for multiple accounts. Another common bad practice regarding password management is the tendency to reuse passwords across multiple accounts. The key danger here is that if a reused password gets compromised, attackers will get access to all accounts it was used for.
Storing passwords in plain text. The way your privileged users store their passwords also matters a lot. One of the most common practices — and one that’s absolutely inappropriate from a security point of view — is to store passwords in unencrypted text files. The moment someone gets access to that file is often the beginning of a large data breach.
Using non-expiring passwords. Just like your favorite ice cream, passwords should have an expiration date. Most security standards and password management best practices recommend rotating passwords every three to six months. The longer you use the same password for a specific account, the weaker it gets. Also, when an employee with privileged access leaves the company, all passwords to the employee’s accounts should be revoked or changed.
2. Disabling or not using MFA
Multi-factor authentication (MFA) is a cybersecurity gold standard of our times. This technology protects your sensitive data from unauthorized access much better than a password alone by adding one more verification layer to the authentication process.
A password can be stolen or guessed, and cyber criminals are pretty good at that. However, tricking an MFA mechanism isn’t as easy as compromising a password.
The problem is that sometimes privileged users can disable additional authentication measures. When and if they do disable MFA, your sensitive data loses this extra layer of protection.
Usually, people don’t want to use MFA because they don’t understand its true importance and think that waiting for a verification passcode is just a waste of time.
3. Sharing privileges with others
Ideally, privileges should be granted only to those who really need them, when they need them, and only after the approval of your cybersecurity officer or department. But in real life, colleagues often share privileged account credentials without giving it a second thought.
Another common scenario is when a team shares one admin account to manage an application, website, or cloud storage because each extra account would cost additional money.
But when it comes to privileged user activity, visibility is essential. If you have two or more people using the same account, you can’t actually tell who did what. So if data is compromised or something stops functioning the way it should, you won’t be able to tell who is responsible for that.
The solution is obvious: create personal privileged accounts wherever possible. And if you can’t provide each privileged user with their own privileged account, try to add more visibility to their actions performed under a shared account. Secondary authentication is one technology that can help you with this.
4. Using an admin account throughout the day
Another well-known security best practice is to distinguish privileged user accounts from regular ones and never use privileged accounts to perform day-to-day tasks. This is why in many companies, employees can have several accounts with different access permissions assigned to each.
However, being logged into a privileged account all the time increases the chances of account compromise and makes privileged accounts more vulnerable to phishing attacks and zero-day attacks. For instance, a user may stumble upon an email with malware attachments or a compromised website trying to launch a malicious script.
If a user wants to surf the internet, check personal email, or download something from the web, they should log out of the privileged account first. Unfortunately, not all privileged users follow this recommendation.
5. Ignoring cybersecurity policies
No matter what set of rules is specified in a company’s cybersecurity policy, you’re likely to find someone who disobeys them. People don’t follow these rules for different reasons:
- Ignorance – Some of your employees or subcontractors may be unaware of specific rules and recommendations. Sometimes, people don’t even know there’s a cybersecurity policy they should follow.
- Negligence – People may know the rules but not understand why following them is important.
- Inconvenience – Sometimes, people choose to ignore cybersecurity policies because following them slows down their work or adds more challenges to their daily tasks.
The most common examples of rule-breaking are the use of personal devices and shadow IT.
It’s true that many organizations today implement a bring your own device (BYOD) policy, allowing employees to use personal devices for their jobs. However, the key to benefiting from BYOD lies in close cooperation with an organization’s IT department. If your company’s IT department isn’t aware of devices used by employees with access privileges, there’s no way they can manage and secure them.
For cloud services, software, and applications used without the knowledge and approval of the IT department, the situation is quite the same as with BYOD violations.
How can you prevent these mistakes?
There are several ways you can prevent privileged users from making these and many other mistakes and thus lower the risk of turning your regular employees into inadvertent insider threats. Below, we list some of the most effective measures for mitigating the risk of inadvertent mistakes by privileged users.
Clarify the rules and make them known. Start with specifying the rules for every process your privileged users are involved in. Then educate your employees and subcontractors on these rules. Make sure people know the rules and understand why it’s important to follow them. Educate both regular and privileged users to improve the overall cybersecurity of your company.
Deploy a password management solution. Consider using a dedicated password management tool or service alongside specifying rules for password use in your cybersecurity policy. Look for a solution that allows for securely storing, managing, rotating, and revoking passwords.
Protect your sensitive assets with MFA. Make MFA mandatory for the most important and valuable resources in your company. But don’t overdo it, as increasing the number of required identity verifications can also increase the level of employee frustration and discomfort.
Use role-based access control (RBAC). Spend some time defining specific roles within your company and assigning granular access rights to each. In this way, you can effectively implement the principle of least privilege and make sure that people in your company have just the right privileges to do their jobs.
Monitor and effectively manage privileged users. Watch your privileged users closely so you can see who did what and quickly respond to possible incidents. Look for a privileged user activity monitoring solution that allows for monitoring and logging of privileged sessions so you’ll have quality data for security audits. Being able to set custom alerts and automatically terminate suspicious processes and accounts would also be useful. Further, consider implementing a privileged access management (PAM) solution to ensure a higher level of user access granularity and effective control of privileged users.
Ekran System is an ultimate insider threat protection platform that provides you with all the tools and capabilities you need. Using our platform, you can add granularity to privileged access management, increase the protection of privileged accounts, and add visibility to actions taken by privileged users.
Privileged users can pose a serious threat to an organization’s cybersecurity. They have access to restricted data and services, which makes them a key target for cyber criminals. And just like any human being, they aren’t immune to making mistakes.
The most common inadvertent mistakes a privileged user can make are:
- Mismanaging passwords
- Sharing privileged credentials
- Not using MFA where it can be enabled
- Performing regular tasks from an administrator account
- Ignoring an organization’s cybersecurity policies
To prevent privileged users from making these mistakes, organizations should start with creating a comprehensive cybersecurity policy. The next step is to educate all employees and subcontractors on the true importance of these rules and explain the consequences of not following them.
For better results, organizations can also implement multi-factor authentication, password managers, activity monitoring, and privileged access management solutions.