The role of privileged accounts in IT security strategy

A look at almost every mega breach of the last couple of years reveals one thing. Despite all of the sophistication around other security measures, ultimately a privileged account is compromised and used to gain unauthorised access to highly sensitive, valuable systems and data.

“The challenge is you want to make sure only authorised users you trust have access to those credentials,” says John Worrall, the Global Chief Strategist for CyberArk. “If the credentials get into the wrong user’s hands that’s when everything breaks loose”.

Worrall says there are three pillars to securing privileged accounts: Locking down credentials; isolating and controlling sessions; and continuously monitoring.

“The first step is to find all the credentials for your accounts and secure them in a vault with multiple layers of security. Strengthen controls by implementing policy-based secure access, including using two-factor authentication and use secure workflows, so only authorised accounts can access appropriate applications and systems.”

Pillar 1: Lock down credentials

Organizations must put policies and rules in place so privileged accounts are accessed and used correctly. That includes password rotation and usage policies based on the role of the user and value of data protected by a credential. This goes from weekly password changes through to single use passwords.

“This is critical,” says Worrall. “With recent reports suggesting adversaries can be inside networks for an average of 200 days before detection, regular rotation of passwords can be an effective weapon in stopping an adversary from wreaking havoc should they breach your first lines of defence.”

“The key point is it used to be that organizations would rotate passwords every 90 days, 60 days or 30 days. Those timeframes are just outlandishly long. We encourage people to think in terms of one-time passwords, hours, days and weeks – not months”.

“Those privileged credentials that require protection aren’t just user accounts,” he adds. “Privileged credentials also include controls for application to application or application to system communications, as well as SSH keys.”

Worrall says it’s critical to consider how a credential is used. Not all credentials are assigned to human users. System users, scripts, service accounts, devices and applications – sometimes with account log-ins hard coded into source code – also have to be considered. Industry studies show that most companies have as many as two to three times more privileged accounts than employees. These aren’t always allocated just to users, but are also needed so that systems and databases can be accessed and operate correctly.

“You have to get in there and figure out a way to rotate those credentials because when they’re captured by an attacker they’re just as powerful as other administrative accounts.”


Pillar 2: Isolate and control sessions

Although there are systems available for managing the security of credentials and managing password rotation, it’s also important to focus on preventing malware attacks and controlling privileged access. One important step is defining policies for those accounts based on a risk assessment.

Worrall says how credentials are used poses a challenge. Many IT departments feel that they have secured administrative workstations but in today’s world, with services often provided remotely, there’s no way to know whether the workstation being used by a system administrator is safe.

“It’s important to ensure that a privileged credential never leaves the secured environment,” advises Worrall.

You can also obscure passwords so administrators never actually see the password when carrying out an action while using an account with elevated privileges.

It’s also important to understand privileged accounts aren’t only IT administration accounts. Operational staff can have elevated access in many situations. Marketing teams might have access to corporate social media accounts, which can be used by malicious parties. For example, a breach at the Associated Press saw a false report made that influenced the share price of a large company.

Many of the challenges associated with privileged access can be overcome by centralising processes. When an elevated account is used, it’s accessed by a user through a central hub that only allows access under certain conditions and limits the use to specific purposes. That way, an account can’t be used to move laterally across the network, looking to exploit weaknesses and continue to elevate privileges. Instead, a privileged account can only be used for direct access to a specific system or dataset.

This approach has several benefits.

“We have a central point of control that allows customers to monitor everything, record it, index it for a full forensic record and it also lets us have ‘over the shoulder’ viewing of what’s going on in real time. If you’re doing something very sensitive, a ‘kill switch’ can be hit to terminate the session if something wrong is happening,” says Worrall.

Read more: US CNAP sets pace as Australian industry continues “holding breath” for overdue cybersecurity policy

Pillar 3: Continuously monitor

Behavioural analytics can be used to understand what is going on in the environment.

“If we see some behaviour that is unlike any previous behaviour – sound an alert.”

In addition, it’s important to identify credentials that are being used outside the controlled environment and those that don’t exist within the secure vault. This goes further than simply capturing the data about credential use and sending alerts. An effective credential management system will automatically stop rogue credentials from being used or automatically rotate passwords when a credential is used in an unauthorised way.

This data can be correlated with output from a SIEM and other sources so that potential attacks can be mitigated. And, as the credential management system is storing data, it can be used with those other sources to identify and potentially locate attackers.

What’s next?

Worrall says many markets across Asia Pacific are compliance driven rather than risk driven.

“They’re doing what they’re asked to do,” he says. “We’ve seen that change first, here in Australia. It’s mimicking what we see in Europe and America. There’s a shift from being very compliance-driven around privilege to being more risk or security driven. Compliance will set the floor. But being compliant doesn’t mean you’re secure.”

In order to manage privileged credentials, Worrall says the first step is for an organization to understand their risk profile and what their attack surface is.

“The second step is to move from a project-based approach to a program-based approach, which is a new way of approaching enterprise security.”

Centralized credential management will become an effective layer in an organization’s security programs, enabling them to protect the heart of the enterprise.

Join the CSO newsletter!

Error: Please check your email address.

Tags security measuresenterprise securityCyberArkpassword rotationJohn WorrallCSO Australiaprivileged accountIT Security strategy

More about CyberArkSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place