Privileged Account Management 101
How Can Privileged Accounts Compromise Your Security
This post is also available in: Danish
When it comes to privileged account management (PAM), you might want to know:
– what is a privileged account?
– does it have any connection to “privileged access management” (also PAM)?
– how do privileged accounts benefit your company?
– what types of privileged accounts are there?
– how can privileged accounts compromise your security?
– what can you do to ensure the cybersecurity of your company?
If so, you have come to the right place – we will answer all this and more in the following lines.
Defining PAM Privileged Account Management
We call privileged accounts those accounts that have the most power inside an IT department and are used by the team to set up the IT infrastructure, to install new software or hardware, to run critical services or to conduct maintenance operations. To put it simply, privileged accounts can access an organization’s highly classified IT assets and the sensitive information stored within them.
As the acronym suggests, privileged account management is related to privileged access management: privileged access management tools monitor privileged accounts in order to ensure business safety. We wrote more about what is privileged access management here. You can also get into this further by learning more about the Zero Trust model, Insider Threats, why removing admin rights closes critical vulnerabilities in your organization, the Principle of Least Privilege (PoLP), and Identity and Access Governance.
How does privileged account management benefit your company?
– it helps you maintain a complete list of active privileged accounts in your network, updating it whenever new accounts are created.
– privileged identities (e.g. passwords) are stored in secure vaults.
– enforce strict IT policies regarding password complexity, frequency of password rest, automatic reset, etc.
– securely shares privileged accounts, granting every user the minimal permissions to fulfill their tasks.
– monitors and records all privileged users in real-time.
– audits all identity-related operations: user logins, password access attempts, reset actions, etc.
What types of privileged accounts are there?
Well, overall, privileged accounts can install system hardware/software, make changes in IT infrastructure systems, log into all machines in an environment, access sensitive data, reset passwords for others.
They can be:
1. Local Administrative Accounts
Non-personal accounts, which provide administrative access only to the localhost or instance. Local admin accounts are used for maintenance on servers, network devices, databases, etc. and usually have the same password across the entire organization. Local Administrative Accounts are the first accounts created during system installation and some companies give their credentials to every employee, which makes them easy targets. Default Administrative accounts cannot be deleted or locked out, only renamed or disabled.
2. Privileged User Accounts
These are named credentials that have been granted administrative privileges on one or more systems. They have unique and complex passwords, yet they must be constantly monitored and secured since they have access to very sensitive privileged data.
3. Domain Administrative Accounts
They have access across all workstations and servers, offering complete control and the ability to modify every administrative account, which makes them the most sensitive target of a cyber attack in an organization. The access and usage to domain administrative accounts should be granted only on-demand, with additional security controls and their activity should be fully monitored and audited.
4. Emergency Accounts
Also known as “fire calls” or “break-glass” accounts, they describe the situation in which an unprivileged user gets administrative access to secure systems, in case of emergency. For obvious security reasons, they require managerial approval. Emergency accounts are also helpful when it comes to restricting compromised accounts from being continuously abused.
5. Service Accounts
Service accounts are privileged local or domain accounts used by applications or services to communicate with the operating system. Coordinating their password changes is difficult because they can interact with many Windows components – not to mention that changing their passwords hardly ever happens. Also, this kind of privileged account does not expire.
6. Active Directory or Domain Service Accounts
Active Directory Domain Services represent the core functions that allow sysadmins to organize data into a logical hierarchy. Changing passwords here is a complicated job since they require coordination across multiple systems – this operation breaks the application(s) almost every time until the account is synced across the environment.
7. Application Accounts
These allow applications to access databases, run batch jobs or scripts, or to provide access to other applications. Usually, they have broad access, so the passwords for this type of accounts are embedded and stored in unencrypted text files, which poses a significant risk to any organization. By compromising Application accounts, hackers can gain remote access, modify system binaries, or even elevate standard accounts to privileged.
How can privileged accounts compromise your security?
According to the Netwrix Blog, “privileged user accounts are dangerous because they are so powerful, and that power can be misused in several different ways.” Specifically,
Unauthorized modifications to critical data can happen without thinking at any time. Plus, files that store sensitive data can be shared without checking the legitimacy of the business need, getting you in serious trouble.
Privileged accounts do have legitimate access rights, so if they engage in malicious actions, these would be pretty difficult to spot – if someone even thinks to check at all. Malicious use of privileged accounts is a serious threat, since these users’ activity may not be closely monitored or they usually have the expertise to dodge controls and do maximum damage without leaving any trace.
3. By attackers
The legitimate owner or user of the account might not even realize the account has been hijacked until it’s too late. Attacks often unfold like this: A hacker breaches the perimeter, takes control of a user’s PC, silently steals any privileged credentials cached there, and then moves from machine to machine looking for additional privileged users to hijack. In fact, hackers often dwell in the network undetected for months, steadily elevating their privileges until they are powerful enough to steal the organization’s intelligence.
As with almost everything in life, precaution is the key. But where do we start when we need to avoid serious privileged account management problems?
5 key aspects you should consider in order to avoid privileged account management issues:
1. Do you know all the privileged accounts in your company?
More than 50% of data breaches involve the use of privileged account access. If you don’t have a clear view of all the privileged accounts in your company, there’s a high probability you’ll have to deal with such a breach. Moreover, your security team must be able to apply the right controls to new systems and applications.
2. Can you properly secure privileged credentials?
Privileged credentials should not be shared among IT admins and should not be visible to end-user admins. Passwords and secure shell (SSH) keys should be rotated, random and should expire regularly – you don’t want static passwords to offer cyberattackers root access to your systems and data. If you do not take care of this aspect and do not use the principle of least privilege and multifactor authentication, phishing or man-in-the-middle attacks (no, not winter) might be coming.
3. Can you identify privileged account use irregularities?
You should be able to monitor privileged accounts for any unusual behaviours and log activity information for later reviews. This should help you draw up a baseline of normal behaviour, which will help you catch deviations and, if need be, trigger alerts. The faster you detect an unusual incident, the better.
4. Can you take quick action when you find suspicious activity?
As we said, the faster you detect a privileged account management irregularity, the better. Try to make sure that you can automatically shut down a privileged session based on unusual activity. It is not recommended to this manually, because this might leave the attacker enough time to provoke irreparable damage.
5. Can you recover/restore data after an incident?
It is crucial to recover and restore data quickly after a data breach or system failure. The same goes for credentials – recovering them after an attack allows you to maintain control. A PAM solution can help you with this.
Bearing this in mind…
Here are some precautions you can take in order to avoid compromising privileged accounts:
1. Provide training to all your employees
When it comes to PAM access management, all your employees should be able to recognize suspicious or unsecure behaviour. This aspect is particularly important nowadays since phishing and social engineering attacks are getting more sophisticated and more and more personal devices are being used for business purposes.
2. Monitor and audit privileged user accounts
Make a habit of actively monitoring and routinely auditing any privileged user accounts with elevated permissions, de-credential user accounts that no longer require elevated permissions, set appropriate expiration dates in order to avoid accumulated privileges.
It’s also useful to perform a data risk evaluation in order to know exactly what privileged accounts have access to sensitive data, because those accounts need higher security scrutiny and protocol.
3. Always change default credentials
It’s mandatory to change default credentials when you set up a new account, application or system. Default credentials like “admin” or “12345” are always a top priority for hackers because they are, obviously, totally easy to crack.
4. Adopt least privilege policies
Although some users sometimes need more rights and have more responsibilities than regular users, there are times when they’re over-privileged. It’s better to configure a standard user and then elevate their privileges when needed.
5. Analyze behaviour
Look for any anomaly regarding when, from where, and how privileged accounts are used. You will only notice the irregularities if you first establish what normal looks like.
6. Consider automation
Automated solutions, like our Heimdal™ Privileged Access Management, will make your life a lot easier because they help you proactively manage, monitor and control privileged account access. A Privileged Access Management tool is vital for scalability and it’s not only about managing user rights, but also about the fast flow of software installs, about logs and audit trail, about achieving data protection compliance.
7. Don’t forget to protect your endpoints
You need an endpoint protection solution in order to keep malicious code that might get into your system from running. Heimdal™ Threat Prevention Enterprise can help you prevent exploits, ransomware and data leakage at DNS level and hunt, detect and respond to threats faster.
You can also make sure that your company is protected against any dangerous emails your privileged users might receive with Email Fraud Prevention, which notifies you about fraud attempts, business email compromise (BEC) and impersonation.
8. Record sessions
If an attacker manages to obtain access to your system, you must be able to determine to which purpose he used the credentials, if any data got exfiltrated, if malware was inserted into any of your servers, which databases were compromised. Heimdal™ Privileged Access Management can also help you with this aspect.
Heimdal™ Privileged Access
As Security Intelligence says, “Privileged account management (PAM) is emerging as one of the hottest topics in cybersecurity — and it’s easy to understand why. Cybercriminals are relentless when it comes to finding and compromising their targets’ privileged credentials to gain unfettered access to critical assets.” You should have some peace of mind, though, if you adopt a proactive attitude and take safety measures.
Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!