System administrators hold the key to your organization’s cybersecurity. However, sysadmin accounts can pose risks to your company. On the one hand, their elevated access rights are targets for hackers and malicious users. On the other hand, there’s a risk of administrators themselves abusing their privileges.
In this article, we explore the types and responsibilities of sysadmins and define the risks related to their work. We also offer seven effective practices to secure your critical systems and data.
Why do system administrators matter?
System administrators are employees responsible for the installation, maintenance, and configuration of an organization’s computer systems, networks, and servers. Working with both hardware and software, they have to follow strict cybersecurity policies to ensure the safety of a company’s sensitive data and the entire IT infrastructure.
System administrators usually have more access rights than any other employees. They can:
- Access all files and data within the corporate network
- Create and delete accounts, both regular and privileged
- Assign access rights to user accounts
- Download, upgrade, and remove software
- Modify corporate systems
- And more
Depending on an organization’s type and size, system administrators can be categorized as following:
- Database administrators are responsible for the integrity of data and the efficiency, maintenance, and performance of the database system.
- Network administrators maintain network infrastructure such as switches and routers and diagnose problems with the behavior of network-attached computers.
- Security administrators handle computer and network security and communicate general security measures to an organization’s staff.
- Web administrators maintain web server services that allow for internal or external access to websites and may also manage software.
- Computer administrators perform routine maintenance and upkeep of computer equipment, such as changing backup tapes or replacing failed drives in a redundant array of independent disks.
- Telecommunications administrators are responsible for maintaining equipment and networks that provide data and voice communication systems, such as telephone, video conferencing, computer, and voicemail systems.
Possessing elevated access rights, sysadmins may pose a significant risk to a company’s cybersecurity. There are two key threat vectors related to a system administrator’s work:
- External threats — attacks that aim to access critical assets and data by compromising a sysadmin’s credentials
- Internal threats — malicious actions of sysadmins who misuse their access privileges
Let’s take a closer look at the danger hidden behind each of these two categories of risks.
External attacks on sysadmin credentials
Sysadmin credentials are a desired target for attackers.
A system administrator’s credentials are always attractive for cybercriminals who want to steal or disrupt an organization’s sensitive data or compromise an organization’s cybersecurity.
Possible attack vectors on a sysadmin’s credentials include:
- Keylogging malware
Keylogging malware captures users’ keystrokes, thereby acquiring logins and passwords, and can send this information to an attacker. This malware can be intentionally installed on a machine by a malicious insider or by an outside attacker. Common techniques for installing keylogging malware include drive-by downloads, infected USB devices, and watering hole attacks.
Back in 2016, security experts succeeded in stealing credentials from a computer with only a USB device even though the computer was locked down with a password. It took Rob Fuller, a security engineer who took part in this experiment, less than 30 seconds to hack the target computer.
- Phishing techniques
Cybercriminals can create fake websites that closely resemble legitimate websites of government offices, banks, online services, etc. Attackers then send spear phishing messages to get users to the phishing site. Once a user attempts to log in to the phishing site, the site sends the entered credentials to an attacker.
In 2019, a phishing campaign targeted users of Microsoft and Office 365 products by impersonating these brands in an attempt to compromise admin accounts. The received credentials would have allowed attackers to retrieve user emails, completely take over other email accounts on a domain, and create new accounts within an organization.
- Hacked user databases
Sometimes, e-commerce and social media websites get hacked and their databases along with user credentials end up in cybercriminals’ hands. The problem is that people tend to reuse their passwords for both personal and corporate accounts. Since up to 73% of passwords are duplicates, attackers can successfully use passwords and credentials compromised in public breaches against corporate accounts.
- Pass the hash attacks
This is a hacking technique that allows an attacker to steal password hashes after they’re left in memory instead of stealing complete passwords. To perform a pass the hash attack, an attacker can dump authenticated user credentials stored in memory or dump the local user’s account database.
- Credential stuffing and password spraying
A credential stuffing attack is possible if an attacker gains access to a list of credentials like passwords and tries to use them against multiple accounts to see if there’s a match. A password spraying attack is performed when a cybercriminal has a list of usernames. Thus, they can test each username against a list of the most commonly used passwords. They can also try to bypass the limit of repeated password attempts by using multiple IP addresses.
How sysadmins can abuse their privileges
Another potential risk is a malicious sysadmin.
Full access rights to your organization’s systems provide system administrators with almost unlimited opportunities. A malicious admin can use this power to do a lot of things:
- Delete files and transfer data
- Alter the way a system operates
- Create backdoor accounts with elevated rights
- Act under accounts of other network users
- Install shadow IT or malware
- Exploit vulnerabilities present in the corporate network
The most unpleasant thing about insider threats coming from malicious system administrators is that sysadmins can camouflage their actions. With their elevated access rights, sysadmins can cover the traces of a cybercrime by using accounts of other employees, deleting applications, and removing or modifying system and security event logs.
It can take years to detect a crime performed by a malicious sysadmin. For instance, Brandon Coughlin, who was sentenced to prison only in 2017, created an undisclosed administrative account with full access and control of a Pennsylvania clinic group’s computer system just two days after he finished his job at the company back in 2013. He proceeded to make fraudulent technology purchases and delete computer settings and data until mid-2015, when the clinic finally changed the system administrator’s credentials. His actions caused a financial loss of approximately $60,000 to the Pennsylvania clinic group.
In one of our previous posts, we analyzed the risks coming from users with elevated privileges and the consequences of poorly managed privilege escalation. Check out our recommendations on addressing this issue in our post on how escalating privileges can shake your enterprise security.
Fortunately, there are different ways you can minimize the risks posed by privileged users and, particularly, the risks posed by sysadmins.Let’s move on to the best practices that can help you prevent cybersecurity incidents related to a system administrator’s work and secure their accounts.
7 best practices to secure a system administrator’s work
To minimize common risks concerned with a system administrator’s work and protect your company’s cybersecurity, consider implementing the following helpful practices:
1. Assess and manage risks
Evaluate information security risks to identify all of your critical assets and people who have access to them. The idea is to detect vulnerabilities and potential threats, then use this information to create and implement a relevant cybersecurity strategy and security controls.
2. Establish extensive policies
Make sure you have formal written policies that include rules for working with corporate networks and systems. Your policies have to contain clear descriptions of all cybersecurity measures applied within your organization. Explore Stanford University’s Guide for System Administrators and the University of Arizona’s Acceptable Use for System Administrators Policy as examples.
3. Set strict password management rules
Strong password management is essential both for cybersecurity and compliance purposes. To secure root and administrator credentials within your organization, apply practices recommended by cybersecurity regulations and standards relevant to your industry. You can also use dedicated password management tools that can help you securely store, deliver, and handle your secrets.
4. Secure access to critical systems
To enhance access protection, consider implementing such features as multi-factor authentication (MFA) and secondary authentication. MFA minimizes the chances of malicious actors accessing your corporate network if they manage to steal admin credentials. A secondary authentication mechanism helps you identify users of shared accounts.
5. Separate duties
It’s always a good practice to separate duties of system administrators in case your organization employs several of them. By doing so, you’ll limit the amount of power held by one admin and minimize the possible scope of privilege abuse.
6. Secure your hardware
Protecting physical systems is as important as securing your virtual networks and systems. If you use your own servers in the office, make sure they’re stored in locations where only authorized personnel are allowed and make sure your corporate computers can only be accessed by authorized staff.
7. Deploy a reliable monitoring solution
Monitoring user activity is a great way to enhance your cybersecurity and detect and prevent potential incidents. Not to mention it’s a requirement of various cybersecurity standards like NIST 800-53 and PCI DSS. Records of user sessions will provide you with information on who did what as well as where and when they did it. Also, these records can be used as evidence during a cybersecurity incident investigation.
Secure your systems administrators’ work with Ekran System
To effectively reduce cybersecurity risks stemming from your sysadmins, consider deploying a reliable and sophisticated solution.
Ekran System is an insider threat management platform that offers comprehensive user activity monitoring, access management, and more. It gives you deep insights into your system administrators’ activities.
With Ekran System, you can:
- See how employees are interacting with your systems by monitoring user activity in real time and watching recorded user sessions
- Detect potential incidents thanks to an AI-powered module for user and entity behavior analytics that spots suspicious user activity
- Receive real-time alerts and instantly respond to them by sending warnings to a specific user or blocking a process, user, or session
- Secure access to your systems with an MFA tool, one-time passwords, and secondary authentication
- Analyze user activity with detailed and easily customized reports
Leverage Ekran System to eliminate insider threat risks by closely monitoring user activity, efficiently managing access, detecting potential incidents in real time, and responding to those incidents before they cause harm.
It’s vital to know the major types of attacks on a sysadmin’s credentials and possible scenarios of how administrators can abuse their privileges. By knowing this, you can choose the most relevant measures for securing the work of your sysadmins and improve the security of system administrator’s accounts.
One essential way to make sure system administrators don’t misuse their privileges is by monitoring and auditing all of your employees’ work. This helps you get full visibility of user actions and comply with major cybersecurity standards.
With a comprehensive insider threat management platform like Ekran System, you not only can establish robust user monitoring but can detect potential cybersecurity incidents in real time and address them immediately. Enjoy a free trial of Ekran System right now!