19-10-2022, According to a recent survey, 74% of data breaches start with privileged credential abuse. As such, companies who prioritize privileged credential security will no doubt have an advantage over their competitors, not to mention a head start when it comes to satisfying the relevant compliance requirements. In this article, we will cover the basics of Privileged Access Management (PAM), including the different types of privileged accounts, and the most common ways they are compromised.
What Are Privileged Accounts?
What differentiates privileged accounts from other, more generic accounts, is that they are allowed access to more systems and data. For example, a privileged user will have access to medical records, payment card details, social security numbers, and company secrets, in addition to security solutions and hardware applications. Privileged accounts are generally admin accounts, which include Local Windows Admin accounts, Domain Admin accounts, and Service Accounts. Below is a more detailed explanation of the different types of privileged accounts, and what they are used for.
Types of Privileged Access Accounts
Domain Admin Accounts
These accounts are sometimes referred to as “God” accounts, as they have access to pretty much everything. Naturally, if one of these accounts were to be compromised, you will be in big trouble.
Domain Service Accounts
These accounts are used to grant systems and applications access to the resources they need to function. For example, they can be used to generate reports, access data via APIs, and so on.
Local Administrator Accounts
These accounts are frequently abused as organizations typically give regular employees access to them. As such, they are a prime target for cyber-criminals.
As the name would suggest, these accounts are used for emergency purposes, such as when a security breach occurs and a member of the security teams needs to quickly perform mitigation activities. These accounts are typically disabled by default.
These accounts are generally used by operating systems to install and run programs. Cyber-criminals will often try to target these accounts in order to execute malware applications, such as ransomware.
When an application needs access to resources it will be assigned to an application account, which will have access to databases and APIs, and will be allowed to install updates, carry out automated tasks, make configuration changes, and so on.
Privileged Data User Accounts
These accounts are used to allow regular users to access sensitive data. As you might expect, they are prime targets for cyber-criminals, and thus represent a huge security risk. It is imperative that these accounts are closely monitored.
Why do Privileged Accounts Require Special Protection?
Since these accounts are used to access critical systems and sensitive data, they require the highest level of protection. A breach of one of these accounts will give adversaries the opportunity to disrupt critical systems, steal sensitive data, and even elevate their privileges further, if necessary.
Paths to Exploiting a Privileged Account
A large number of data breaches are caused by stolen passwords, usually via some kind of social engineering technique and/or a malware attack. Below are the main ways adversaries can gain access to privileged accounts.
Phishing and other social engineering techniques are perhaps the most common method of illegitimately obtaining credentials. Attackers will typically masquerade as a trusted entity in order to trick the victim into handing over their credentials. In some cases, the attacker will spend time learning about the victim and/or befriending the victim in order to make the attack more targeted. This technique is generally referred to as spear-phishing.
This includes brute-force password attacks, password guessing, shoulder surfing, dictionary attacks, rainbow table attacks, password spraying, and credential stuffing. In some cases, the attacker will try to guess the security questions in order to gain access to a privileged account. They might also try to compromise the password reset mechanisms in order to exploit any password changes and resets.
Vulnerabilities and Exploits
Attackers will often try to gain access to a privileged account by targeting vulnerabilities found in operating systems, communication protocols, web browsers, web applications, cloud systems, network infrastructure, and so on.
In some cases, companies forget to change the default passwords on admin or root accounts, which attackers will try to exploit.
Adversaries will often try to use spyware to gain access to privileged accounts. Keyloggers, for example, can harvest credentials by monitoring the keystrokes of the user.
Privileged Access Management Requirements
Privileged Access Management is not a process that is carried out manually but instead uses one or more software solutions to automate the process. Ideally, your PAM solution(s) should have the following capabilities:
A password vault: A secure place to store credentials.
Auto-rotation: The ability to automate the rotation of passwords.
An approval workflow: A process for granting and revoking permissions.
Multi-factor authentication (MFA): The ability to enable MFA on all privileged user accounts;
Automated account management: The ability to automate the process of creating, modifying, and removing user accounts. Your chosen solution(s) should also be able to automatically detect and manage inactive, or “ghost” user accounts.
Real-time account monitoring: All privileged user accounts must be continuously monitored for suspicious activity, and all privileged account activity should be sortable and searchable via a centralized console/dashboard.
Reporting & alerting: Your chosen solution(s) should be able to generate real-time alerts, which can be sent to the relevant personnel, either to their inbox or mobile app. Likewise, it should be able to generate detailed reports which can be used for internal analysis or sent to the relevant authorities to demonstrate compliance.
PAM vs IAM
Privileged Access Management (PAM) and Identity and Access Management (IAM) are conceptually the same. Although you could say that PAM is a component of IAM, in that, PAM deals only with privileged accounts, whereas IAM deals with the authentication and authorization of all user accounts, including guest accounts.
PAM vs PoLP
The Principle of Least Privilege (PoLP) stipulates that all users, networks, devices, servers, and services, are granted the least privileges they need to perform their role. PoLP is an integral part of PAM, although it is a principle that can be applied to any situation where access to critical systems and data must be restricted.
How Privileged Access Management Solutions Stop Security Threats
As mentioned above, cyber-criminals will always, if possible, try to target privileged accounts. Any gaps in your PAM strategy will inevitably make it easier for them to gain access to critical systems and data.
Firstly, protecting privileged accounts with multi-factor authentication will help to prevent unauthorized access. Were an adversary to gain access to a privileged account, a sophisticated PAM solution will help to minimize the damage they can cause by preventing them from moving laterally to other systems.
A Privileged Access Management solution will also continuously monitor access to privileged accounts, and some solutions use machine learning techniques to learn usage patterns which can be tested against in order to identify anomalies.
A PAM solution can automatically detect and respond to inactive user accounts, which attackers often look for in order to infiltrate a network in a more covert manner.
Privileged Access Management Best Practices
In order for a Privileged Access Management solution to be effective, it must be properly configured and maintained. Below are some of the best practices to adhere to when using a PAM solution:
Implement the Principle of Least Privileg
As mentioned above, access permissions must be restricted to ensure that privileged users only have access to the systems and data they need, and nothing more. If a user needs more access, there must be a process for granting/revoking access on a time-limited basis – a technique that is often referred to as Just-In-Time (JIT) access.
Use Role-Based Access Control (RBAC)
Privileged Access Management works a lot better with Role-Based Access Control (RBAC), as it makes assigning access rights a lot easier. With RBAC, roles are set up for different purposes, with different levels of access. Users are then added to those roles and removed when they no longer require access.
It’s a good idea to automate everything you can in order to maximize efficiency and minimize the chance of human error. Automation will also enable security teams to focus on more productive tasks.
Monitor Privileged Account Aactivity
All privileged accounts should be continuously monitored for anomalous activity. Likewise, anytime sensitive data is accessed, modified, copied, shared, or removed, the security team will need to be informed so that they can determine the legitimacy of the actions, and take action if necessary.
How Lepide Helps with PAM
There are many Privileged Access Management solutions on the market that you can deploy to manage access rights. However, on their own, PAM solutions often fall short of providing the level of security and insight required to protect data and meet compliance. Lepide provides added value prior to/in parallel to deployment, post-deployment, and in an ongoing fashion.
Lepide can help you to clean up your Active Directory prior to the deployment of your PAM solution. Most PAM deployments fail due to misconfigurations or a messy AD, including inactive users/computers, open shares, troublesome accounts, legacy issues with users, passwords set to never expire, over-privileged users, and more. Lepide can help you identify and rectify these security states.
PAM solutions also do not enable you to understand the behavior of your privileged users. Lepide tracks user behavior and alerts when behavior deviates from the norm using anomaly spotting. Lepide also analyses user behavior and can suggest users that may have excessive permissions to data based on their data usage patterns.
Finally, Lepide Data Security Platform will help you understand where your sensitive data is and why it is sensitive. This is important as it will help you determine which of your users should be able to access the data. The solution will also spot trends in behavior around interactions with this data and identify excessive permissions.