Establishing privileged account management procedures is an essential part of insider threat protection. This process is unique for each organization, depending on its size, industry, security practices, etc. Fifty-five percent of security officers believe privileged users represent the biggest insider threat to an organization according to the 2018 Insider Threat report prepared by Crowd Research Partners.
A well-tuned privileged access management (PAM) solution helps to mitigate this threat. In this article, we talk about the top five examples of poor privileged account management.
1. Manual access approval
Manual access approval is widely used in small and medium-sized companies. In this case, a security officer considers each request and provides access by hand. This is sufficient in two cases:
- For small companies with up to 10 employees. In this case, a security officer is able to keep up with access requests. However, it may take a lot of time to monitor whether employees are misusing their access permissions.
- For securing the most sensitive resources. Some types of corporate data and resources are highly valuable, so you really need to manually examine any requests to access them.
However, this cybersecurity practice has several drawbacks:
- It slows down the corporate workflow because employees have to wait for access permission.
- Managing access manually takes a lot of time for security officers.
- A security officer can make a mistake and grant access to a user who doesn’t need it.
Managing privileged access manually can’t provide you with an adequate level of cybersecurity, especially within large enterprises. An automated access control solution allows for monitoring privileged user activity without the involvement of security officers. If a privileged user breaks security rules, a PAM solution alerts security officers immediately. Nevertheless, manual tools may still be useful in some particular cases.
2. Granting privileged access to everybody
Privileged access is called privileged for a reason. It must be granted only to those who need it for day-to-day duties. But users often end up with additional privileges assigned to their accounts.
This happens for several reasons:
- The organization doesn’t have a strict PAM policy. This is often the case for small enterprises and startups, in which each user is assigned the same set of access rights.
- A user requests one-time access to a sensitive resource, but after the task is completed, the administrator doesn’t revoke privileges.
- An employee acquires a new position within the company and is assigned privileges for both the old and new positions.
- A third-party vendor needs granular access to an organization’s sensitive data to do their job. Instead of creating an account with a custom set of access rights, the administrator grants this vendor privileged access to the whole network.
Third parties are one of the most dangerous types of insiders, as it’s hard to track their activity within the company’s network. According to a study by the Ponemon Institute, 59% of organizations have experienced a third-party related data breach, and this number is getting bigger every year. Yet 66% of security teams grant privileged access to third-party organizations according to a recent study by OneIdentity.
While outsourcing services is beneficial for organizations, it has an essential drawback: a subcontractor may not maintain the best security practiсes. Having privileged access, a vendor is able to expose or steal sensitive data.
The Universal Music Group (UMG) security breach in 2018 is a typical example of poor privileged account management. A UMG contractor accidentally exposed credentials and part of the internal source code for the company’s IT infrastructure while deploying Apache Airflow. The credentials contained UMG passwords to FTP, AWS, and SQL. Luckily, UMG managed to seal the breach before anyone took advantage of it.
Some vendors (e.g. IT service providers, auditors) really need privileged access. This calls for strengthening security measures; particularly, it calls for deploying a privileged access management (PAM) solution. PAM software helps to secure your endpoints from unauthorized remote access and monitors privileged user activity inside the network.
For one-time occasions, consider granting temporary access to privileged assets with one-time passwords and manual access approval.
3. Overcomplicated PAM policy
As with any good deed, it’s easy to go overboard with a privileged access management policy. An overly complex cybersecurity policy is a typical PAM risk for large organizations. Companies may have many types of sensitive data and many levels of privileged access. Moreover, corporate assets may be located in different countries and be managed by different teams.
Due to this, resetting user passwords may take up to 30 minutes. Providing a new employee with all the necessary access permissions can take a few days or even a few weeks.
If your company is like this, it’s a good call to reconsider your cybersecurity policies. Complicated procedures may harm productivity. If users have to wait each time they need a request approved, they’ll try to obtain permanent access.
One of the most dangerous outcomes of a complicated PAM system is leaving privileged accounts unregistered. Attackers or malicious insiders can use these unregistered privileged accounts as backdoors. Meanwhile, 70% of organizations fail to detect all privileged users during an audit, according to SC Magazine.
The 2014 Sony Pictures, Target, and JP Morgan data breaches all had one thing in common: hackers obtained privileged account credentials to get inside a network and altered cybersecurity system settings in such a way that it didn’t detect malicious data-stealing malware.
The best way to make sure you don’t overcomplicate cybersecurity procedures is to deploy a PAM solution that grants access, monitors users, and keeps track of privileged accounts automatically. Make sure that your PAM solution allows you to set custom alerts to meet the unique requirements of your business and allows you to respond to cybersecurity incidents in a timely manner.
4. Sharing privileged accounts
Sharing account credentials is one of the most widespread poor privileged account management practices. Every company has an admin or root account with credentials known to any network administrator.
Such profiles are dangerous for several reasons:
- The more people know the credentials of a privileged account, the higher the chance for a hacker to obtain those credentials.
- It’s hard to distinguish among employees who log in to a shared privileged account. Therefore, it’s difficult to connect a security incident with a particular user.
In 2018, Timehop suffered a data breach related to shared privileged accounts. Hackers stole credentials from a cloud environment admin account and monitored Timehop databases for some time. They compromised the data of 21 million users, including their names, emails, and in some cases phone numbers.
SurveyMonkey found that 37% of users share passwords or accounts with colleagues. It seems impossible to ban such practices completely. Sharing a profile is comfortable for some types of work (e.g. if cashiers working shifts need to see the results of a previous shift). And emergency and root accounts are necessary to fix a network if issues occur.
In order to manage privileged accounts properly, use secondary or multi-factor authentication for shared privileged accounts. These tools use additional factors such as personal credentials, a smartphone, or a fingerprint to positively identify the person logging in to the system. Credentials must be stored in a secure password vault.
5. Mismanaging accounts of fired employees
A disgruntled, fired, or soon-to-be-fired employee is one of the most common types of malicious insiders. They know what sensitive data a company possesses, what security policies are implemented, and which vulnerabilities may be abused.
According to a study by OneIdentity, 22% of IT organizations take more than a week to delete an ex-employee’s account and deactivate their credentials. During this time, the account may be used as:
- a backdoor. A privileged account with access to sensitive data wouldn’t trigger a monitoring system alert. A hacker or a disgruntled ex-employee may use it to gain access to business-critical data.
- a way to blackmail the company. This is possible if the employee had exclusive access to some resources. For example, an IT administrator fired from the American College of Education tried to blackmail ACE to pay him $200,000 for resetting a Google account password.
There are plenty of ex-employee revenge cases out there. Even Donald Trump’s Twitter account was turned off for 11 minutes by a disgruntled fired subcontractor. Another classic example is the Morrisons’ data leak. A fired IT auditor leaked data of 100,000 employees, including bank account details, salaries, and insurance numbers. Remediating this breach cost Morrisons 2 million pounds (nearly 2.6 million dollars).
In order not to get into such a situation, make deleting ex-employee accounts a regular task. Make sure to change shared passwords for privileged accounts on a regular basis and reset them every time an employee with access to such an account leaves. Also, set up a regular audit to detect inactive accounts.
In this article, we reviewed the five most common poor PAM practices. Deploying dedicated software such as Ekran System helps in solving the most common issues of privileged account management.
Ekran System is a robust insider threat protection solution that covers all of the cases discussed above. It provides you with an automated access management module to grant or deny privileged access with little involvement of security officers. Privileged account and session management and one-time password functionalities allow for a granulated approach to granting privileged access.
Ekran System makes implementing cybersecurity policies easier, as it provides security officers with a set of tools built according to industry requirements. It also prevents you from creating a security policy that’s too complex.
The continuous activity monitoring feature of Ekran System detects any malicious activity inside the network. If it was performed by a user of a shared privileged account, the secondary authentication feature helps to identify the person behind this action.