System administrators hold the keys to your organization’s cybersecurity. However, their accounts can also be a source of cybersecurity risks to your company. Both cybercriminals and malicious administrators can exploit the elevated privileges for their own benefit.
In this article, we explore key risks coming from admin accounts and offer seven effective practices you can adopt to secure administrative access to your organization’s critical systems and data.
Why system administrators deserve special attention
Keys help you enter your home, but a thief can use them too.
System administrators are employees responsible for the installation, maintenance, and configuration of an organization’s computer systems, networks, and servers. Working with both hardware and software, they have to follow strict cybersecurity policies to ensure the security of a company’s sensitive data and the entire IT infrastructure.
System administrators have more access rights than other employees. They can:
- Access all files and data within the corporate network
- Create and delete accounts, both regular and privileged
- Assign access rights to user accounts
- Download, upgrade, and remove software
- Modify corporate systems
Depending on an organization’s type and size, system administrators can be categorized as follows:
- Database administrators are responsible for the integrity of data and the efficiency, maintenance, and performance of the database system.
- Network administrators maintain network infrastructure such as switches and routers and diagnose problems with the behavior of network-attached computers.
- Security administrators handle computer and network security and communicate general security measures to an organization’s staff.
- Web administrators maintain web server services that allow for internal or external access to websites and may also manage software.
- Computer administrators perform routine maintenance and upkeep of computer equipment, such as changing backup tapes or replacing failed drives in a redundant array of independent disks.
- Telecommunications administrators are responsible for maintaining equipment and networks that provide data and voice communication systems, such as telephone, video conferencing, computer, and voicemail systems.
In some organizations, system administrators can take on several or even all of these roles. But since sysadmins have this degree of access, their accounts pose a significant threat to system security.
Top 3 threat vectors for system administrators’ accounts
What can go wrong with your keys?
Because of their elevated access rights, sysadmin accounts carry potential risks for the organization’s cybersecurity. Elevated privileges can harm an organization if they fall into the wrong hands.
Major threat vectors related to system administrators’ accounts are:
- External cyber attacks
- Poor security practices
- Malicious insider activity
Let’s take a closer look.
External cyber attacks
A criminal can open the doors with your keys.
Cybercriminals can steal or disrupt an organization’s sensitive data by compromising a sysadmin’s account. While there are a number of ways to do this, most involve gaining account credentials.
Insider-related credential theft, for example, nearly doubled between 2020 and 2022. “At an average of $804,997 per incident, credential theft is the costliest to remediate” according to the 2022 Cost of Insider Threats Global Report.
Compromised administrative accounts can cost substantially more, because elevated account privileges grant access to far more valuable assets.
To compromise a sysadmin’s account, cybercriminals can use the following:
- Keylogging malware
Keylogging malware captures users’ keystrokes, thereby acquiring logins and passwords. The information is then sent to an attacker. This malware can be intentionally installed on a machine by a malicious insider or by an outside attacker. Common techniques for installing keylogging malware include drive-by downloads, infected USB devices, and watering hole attacks.
- Phishing techniques
Even the most sophisticated firewall can be useless when social engineering comes in. Cybercriminals can email their victims on behalf of a trusted source and trick the recipients into compromising important data or account credentials. A phishing email may also contain a malicious file. While looking like a regular document, an attachment may have a virus that will infect the system if opened.
- Hacked user databases
Sometimes, e-commerce and social media websites get hacked and their databases along with user credentials end up in cybercriminals’ hands. The problem is that people tend to reuse their passwords for both personal and corporate accounts. Since up to 73% of passwords are duplicates, attackers can successfully use credentials compromised in public breaches against corporate accounts.
- Pass the hash attacks
This hacking technique allows an attacker to steal password hashes after they’re left in memory instead of stealing complete passwords. To perform a pass the hash attack, an attacker can dump authenticated user credentials stored in memory or dump the local user’s account database.
- Credential stuffing and password spraying
A credential stuffing attack is possible if an attacker gains access to a list of credentials like passwords and tries to use them against multiple accounts to see if there’s a match. A password spraying attack is performed when a cybercriminal has a list of usernames and tests each username against a list of the most commonly used passwords. They can also try to bypass the limit of repeated password attempts by using multiple IP addresses.
- Vulnerability exploits
Cybercriminals may use system vulnerabilities or system administrators’ negligence to take control over sysadmin accounts. For example, if a sysadmin logs in to a hacked computer, their account can get compromised.
System administrator negligence
Holding the keys entails responsibility.
System administrators themselves are sometimes unwittingly responsible for account compromise. External attacks are frequently successful due to a careless attitude towards performing sysadmin duties.
Let’s take a look at ways administrators might assist in compromising their credentials:
- Logging on to unsecured endpoints
Logging on with administrator accounts to unprotected computers outside an organization’s perimeter may expose such accounts to attackers. This is especially relevant now, in the post COVID-19 remote work reality, when even a system administrator may be working from home via their personal laptop. If the unsecured computer is infected with malware or hacked in some other way, the privileged account can be easily compromised.
- Sharing administrative accounts
Instead of having several identities, system administrators may share a single super-admin account to accomplish numerous tasks. For example, someone might use it to set up a computer for a new employee while another person is configuring the company’s network. When a shared admin account is abused, identifying the perpetrator might be difficult.
If such an account is compromised at one of the endpoints, the entire system is in danger. In addition, it’s much harder to recover or disable such a highly privileged account.
- Using administrative accounts for daily activities
A similar risk is related to using the system administrator account to perform everyday tasks such as checking email, chatting on social media, downloading content, or simply surfing the internet. Though seemingly innocent, these activities conceal a number of ways to compromise an admin account, freeing the perpetrator’s hands to carry out their evil deeds.
Plus, if a compromised account has administrative Active Directory rights, the whole domain may be in danger.
- Using poor password management practices
Poor password handling is unacceptable in the circles of system administrators, since their job is to promote system security instead of exposing the system to risks. Nonetheless, some sysadmins have unhealthy password habits.
To name a few:
- Using the same password for different administrative accounts
- Not updating passwords regularly
- Storing passwords in the browser cache
- Sharing credentials with colleagues
Obviously, such negligence paves the way to a compromised admin account.
- Having too many administrative accounts in the system
Overpopulating the system with administrative accounts expands the attack surface. The more administrative accounts you have in an organization’s network, the higher the risk of one of them getting compromised.
In addition, it’s hard to maintain and manage a large number of accounts (rotate passwords regularly, remove access rights that accounts no longer need, track account activity, etc.).
Malicious activity of system administrators
Do you trust the person holding your keys?
As we discussed earlier, full access rights to your organization’s systems provide system administrators with almost unlimited opportunities.
In wicked hands, this power can harm your organization in a variety of ways:
- Manipulate files and sensitive data
- Transfer confidential information to third parties
- Alter corporate systems and networks
- Create backdoor accounts with elevated rights
- Act under accounts of other employees
- Install malware or shadow IT
- Exploit vulnerabilities of the corporate network
Whether driven by a desire for personal benefit or managed from the outside, as in cases of industrial espionage, malicious insiders are extremely difficult to identify.
System administrators are good at camouflaging their actions. Elevated access rights allow them to cover traces of cybercrime by using accounts of other employees, deleting applications, and erasing or modifying event logs.
It can take years to detect a crime committed by a malicious sysadmin. For instance, Brandon Coughlin, who was sentenced to prison only in 2017, created an undisclosed administrative account with full access and control of a Pennsylvania clinic group’s computer system just two days after he finished his job at the company back in 2013. He proceeded to make fraudulent technology purchases and delete computer settings and data until mid-2015, when the clinic group finally changed the system administrator’s credentials. His actions caused a financial loss of approximately $60,000 to the group.
In one of our previous posts, we discussed the risks posed by users with elevated privileges, as well as the implications of poorly managed privilege escalation. Check out our advice on how to deal with this in the article below:
7 best practices to secure system administrators’ accounts
There are multiple ways administrative accounts can be compromised. Fortunately, there are system administrator security best practices you can apply to minimize the risks posed by privileged users and sysadmins:
1. Assess the risks posed by system administrators
Think about how your keys can be abused.
Identify all of your critical assets and people who have unrestricted access to them. Think about how many system administrators your organization has. What access rights do they possess? How can you make sure that sysadmins follow your security policies?
Use this information to choose the right security controls and implement an efficient strategy for administrator privileged account security.
2. Establish robust security policies
Describe how everyone should be using your keys.
Make sure you have formal written policies on working with corporate networks and systems. Clearly describe all cybersecurity measures applied within your organization. Take a look at Stanford University’s Guide for System Administrators and the University of Arizona’s Acceptable Use for System Administrators Policy.
Although administrators are cybersecurity professionals themselves, ensure that they are aware of and follow all of your security requirements.
3. Enhance your password management
Don’t just hide the keys under the mat.
Strong password management is essential both for cybersecurity and compliance purposes.
Enrich your security policies with a description of healthy password habits, such as creating complex passwords, updating them regularly, and using different passwords for different accounts.
However, this might not be enough.
To secure root and administrator credentials within your organization, apply practices recommended by cybersecurity regulations and standards relevant to your industry.
For example, you can use dedicated password management solutions. Consider Ekran System – a universal insider risk management platform with privileged access management (PAM) functionality that will allow you to securely store, deliver, and handle administrative credentials.
4. Use and manage accounts wisely
Keep the keys safe.
Check these helpful tips on how to securely use and manage accounts of system administrators:
- Limit the use of admin accounts. Make sure that your system administrators use their admin accounts only when needed and use regular accounts for daily tasks. Also, try to keep admin accounts signed out. Staying signed in permanently increases the likelihood of account compromise.
- Create separate accounts for different admin duties. Create separate roles for your admins based on the tasks they need to perform and the level of access required. You can create one super admin account and multiple role-based (less privileged) admin accounts. This will help you limit the amount of power held by each admin and minimize the scope of possible privilege abuse.
- Avoid using shared admin accounts. Sharing one administrator account with multiple users makes it impossible to monitor and audit actions of particular users. If you have no other choice but to use a shared account, consider applying secondary authentication, as it helps to identify actions of individual users of a shared account.
To manage administrative accounts more efficiently, you can use the PAM capabilities of Ekran System. It will allow you to configure different levels of access for your sysadmins’ accounts.
5. Restrict access to critical systems
Do not just give the keys to everyone. And keep the doors shut.
Elevated access permissions are what make system administrators’ accounts so attractive to malicious users. To minimize the chances of a system administrator’s account being compromised, consider implementing the principle of least privilege, providing your admin users only with the rights they need to perform their direct duties. If you want to secure your critical assets even more, think about deploying the zero trust model, where only verified users get to access protected data and systems.
If you decide to implement the above concepts, Ekran System’s PAM functionality can help you with that. Ekran System will enable you to:
- Get full visibility over all accounts of system administrators and regular users
- Manage system administrators’ access rights in your infrastructure
- Secure remote access of sysadmins to critical endpoints
- Verify identities of your system administrators with the help of two-factor authentication
Given that, Ekran System can help you minimize the chances of malicious actors accessing your corporate network even if they manage to compromise an admin account.
6. Monitor system administrators’ activity
Get your house a surveillance system.
Monitoring user activity is a great way to enhance your cybersecurity. Records of user sessions will provide you with information on who did what, where, and when. Also, these records can be used as evidence during a cybersecurity incident investigation.
Ekran System will allow you to:
- Monitor the activity of your system administrators and other users and record it in a video format
- Watch recorded and live user sessions in an intuitive YouTube-like player
- Search by a variety of factors, including launched applications, visited websites, typed keystrokes, executed commands and scripts, and more
- Manage all USB devices used by system administrators in your infrastructure and block unapproved devices automatically
- Export monitoring data via a set of customizable reports and conduct an internal audit of all sysadmin activity performed inside Ekran System
With the help of Ekran System, you can ensure compliance with major cybersecurity standards and regulations.
7. Create a solid incident response plan
Protect your house with an alarm system.
Create a well-thought-out plan for what your personnel will do if a system administrator’s account is compromised. Writing down procedures will help your staff effectively react on time in a critical situation. An incident response plan will help minimize the damage caused by an external attacker or an insider.
Think about optimizing and automating security incident handling in your organization.
With Ekran System’s automated incident response, you can:
- Receive email notifications about suspicious events and respond in a timely manner
- Detect unusual behavior with the help of artificial intelligence-powered user and entity behavior analytics
- Respond to detected threats automatically by blocking users/processes, or by showing a violator a warning message
It’s hard to overstate the role of system administration in the cybersecurity of organizations. Similarly, it’s easy to underestimate the risks system administrators pose with their elevated privileges. Whether done by a skilled hacker or a malicious insider, privilege exploitation can severely damage your security system and sensitive data.
To avoid this, follow the system administrator best practices we have discussed in this article. Assess possible risks and establish effective policies for using administrative accounts to secure them.
As an efficient insider risk management platform, Ekran System can help you properly secure access for IT admins. With our reliable activity monitoring, automated incident response, and access management functionalities, you can considerably reduce the likelihood of privileged account compromise for your organization.
Check out how Ekran System works and decide whether it is the right choice for you!