Top seven challenges of achieving privilege and application control

By Vincent Goh, Vice President - Asia Pacific and Japan, CyberArk

In many organisations, privilege delegation can be an all-or-nothing decision. Users typically are given either full administrator rights or have no administrative rights at all. As a result, business users and IT administrators often end up with far more privileges than they need.

This creates a range of challenges for organisations keen to make their IT infrastructures as secure as possible. The top seven challenges are:

1. Powerful accounts represent a large attack surface

Accounts with local administrator privileges represent a large attack surface as they exist on every endpoint and server within the IT environment. Individual user accounts on these same machines that have administrator privileges only expand the attack surface.

Users with administrative rights can intentionally or accidentally change systems configurations. They can disable or uninstall anti-virus tools and stop existing services such as a firewall. They could even install malware and reset passwords locking others out.

From a security perspective, accounts with local administrator privileges are frequently targeted by advanced attackers due to the elevated privileges they provide.

2. Balancing security with productivity

While it’s a security best practice to revoke administrator privileges from business users, many organisations are hesitant to do so. They will be forced to call the help desk every time they need privileges to simply do their day-to-day jobs, resulting in a rise in frustration and an overwhelmed IT team.

3. Too few privileges can lead to privilege creep and increased risks

If all administrative rights are revoked from business users, the IT team will occasionally need to re-grant privileges so those users can perform certain tasks. However, once privileges are re-granted, they are rarely revoked. So, over time, organisations end up with many of their users holding local administrator rights all over again. This ‘privilege creep’ reopens the security loophole associated with excessive administrative rights.

4. Too many privileges can increase the risk of insider and advanced threats

Many organisations are also hesitant to limit IT administrator privileges. In an ideal setting, system administrators, application owners and database administrators would each have their own set of permissions. In practice, however, this segregation of duties can be difficult to implement, leaving IT administrators with far more privileges than truly needed to do their jobs.

Without role-based privilege policies in place, sensitive systems can easily be damaged by inexperienced users, exploited by malicious insiders or compromised by advanced attackers.

5. There will always be an 'administrator' account on each machine

By design, all endpoints and servers contain an administrator, root or similar level account that provides any user in possession with full administrative control. Even if you’ve removed administrator rights from individual user accounts, these powerful administrator accounts will still exist. Poor password management policies for these can result in password reuse across multiple systems, making it easy for an attacker on a compromised machine to laterally move throughout the environment.

6. Despite limited privileges, malware can still get in

By limiting privileges to only those that are absolutely necessary, organisations can reduce their attack surface. The challenge is, however, that not all malicious applications need privileges to execute, and as attackers become more adept in circumventing defences, organisations are increasingly vulnerable to these types of malware.

Research shows most advanced attacks start with phishing emails sent to non-privileged business users and can include highly sophisticated malware. Once inside the network, the malware can compromise machines, steal data, capture credentials or damage systems.

7. Accurately tracking applications

Studies show it is not uncommon to find more than 20,000 different applications across an enterprise. This means malicious applications can easily hide in plain sight because IT teams simply don’t have the time to manually check everything.

With that kind of scale, identifying which applications are good, bad or unknown is daunting and can be cost prohibitive.

Implementing layered security controls

To address these seven challenges, organisations need to find flexible tools that automate the management of local administrator privileges and control of applications on endpoints and servers. This unique combination of least privilege and application control should be part of a balanced and layered security approach that helps organisations reduce their attack surface and protect against threats.

To achieve a balance of security and usability, organisations should consider adopting an integrated privilege management and application control solution that allows IT teams to:

  • Automatically determine what applications are trusted by the organisation, identify what privileges are required by each of these applications, and create policies based on these trusts to save valuable IT time and effort.

  • Remove local administrator rights from business users, but enable seamless privilege elevation, based on policy, to keep users productive without increasing the attack surface.

  • Granularly control which commands and tasks each IT administrator is permitted to execute based on role, to effectively segregate duties and reduce the risk of insider and advanced threats.

  • Enable trusted applications to seamlessly run in the environment while automatically blocking malicious applications and restricting privileges for unknown applications.

  • Control access to Local Administrator and Domain Administrator accounts that can be used to gain administrative access to Windows endpoints and servers. Store the credentials in a secure, centralised repository that supports strong access controls.

  • Immediately rotate all administrator passwords after each use to invalidate any credentials that may have been captured by key logging software and to mitigate the risk of a Pass-the-Hash attack.

  • Monitor all activity related to Administrator accounts to enable rapid detection and alerting on anomalous activity that may signal an in-progress attack, as well as allow the security team to gain a more comprehensive audit trail.

Today’s business environment isn’t black and white, and security tools should not be either. Organisations must learn to strike a balance between security and usability to effectively reduce their attack surface while keeping users productive and reducing the burden on IT teams.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT infrastructurecybersecurityIT teamattacksIT Securityprivileged

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Vincent Goh

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place