A look at almost every mega breach of the last couple of years reveals one thing. Despite all of the sophistication around other security measures, ultimately a privileged account is compromised and used to gain unauthorised access to highly sensitive, valuable systems and data.
“The challenge is you want to make sure only authorised users you trust have access to those credentials,” says John Worrall, the Global Chief Strategist for CyberArk. “If the credentials get into the wrong user’s hands that’s when everything breaks loose”.
Worrall says there are three pillars to securing privileged accounts: Locking down credentials; isolating and controlling sessions; and continuously monitoring.
“The first step is to find all the credentials for your accounts and secure them in a vault with multiple layers of security. Strengthen controls by implementing policy-based secure access, including using two-factor authentication and use secure workflows, so only authorised accounts can access appropriate applications and systems.”
Pillar 1: Lock down credentials
Organizations must put policies and rules in place so privileged accounts are accessed and used correctly. That includes password rotation and usage policies based on the role of the user and value of data protected by a credential. This goes from weekly password changes through to single use passwords.
“This is critical,” says Worrall. “With recent reports suggesting adversaries can be inside networks for an average of 200 days before detection, regular rotation of passwords can be an effective weapon in stopping an adversary from wreaking havoc should they breach your first lines of defence.”
“The key point is it used to be that organizations would rotate passwords every 90 days, 60 days or 30 days. Those timeframes are just outlandishly long. We encourage people to think in terms of one-time passwords, hours, days and weeks – not months”.
“Those privileged credentials that require protection aren’t just user accounts,” he adds. “Privileged credentials also include controls for application to application or application to system communications, as well as SSH keys.”
Worrall says it’s critical to consider how a credential is used. Not all credentials are assigned to human users. System users, scripts, service accounts, devices and applications – sometimes with account log-ins hard coded into source code – also have to be considered. Industry studies show that most companies have as many as two to three times more privileged accounts than employees. These aren’t always allocated just to users, but are also needed so that systems and databases can be accessed and operate correctly.
“You have to get in there and figure out a way to rotate those credentials because when they’re captured by an attacker they’re just as powerful as other administrative accounts.”
Pillar 2: Isolate and control sessions
Although there are systems available for managing the security of credentials and managing password rotation, it’s also important to focus on preventing malware attacks and controlling privileged access. One important step is defining policies for those accounts based on a risk assessment.
Worrall says how credentials are used poses a challenge. Many IT departments feel that they have secured administrative workstations but in today’s world, with services often provided remotely, there’s no way to know whether the workstation being used by a system administrator is safe.
“It’s important to ensure that a privileged credential never leaves the secured environment,” advises Worrall.
You can also obscure passwords so administrators never actually see the password when carrying out an action while using an account with elevated privileges.
It’s also important to understand privileged accounts aren’t only IT administration accounts. Operational staff can have elevated access in many situations. Marketing teams might have access to corporate social media accounts, which can be used by malicious parties. For example, a breach at the Associated Press saw a false report made that influenced the share price of a large company.
Many of the challenges associated with privileged access can be overcome by centralising processes. When an elevated account is used, it’s accessed by a user through a central hub that only allows access under certain conditions and limits the use to specific purposes. That way, an account can’t be used to move laterally across the network, looking to exploit weaknesses and continue to elevate privileges. Instead, a privileged account can only be used for direct access to a specific system or dataset.
This approach has several benefits.
“We have a central point of control that allows customers to monitor everything, record it, index it for a full forensic record and it also lets us have ‘over the shoulder’ viewing of what’s going on in real time. If you’re doing something very sensitive, a ‘kill switch’ can be hit to terminate the session if something wrong is happening,” says Worrall.
Pillar 3: Continuously monitor
Behavioural analytics can be used to understand what is going on in the environment.
“If we see some behaviour that is unlike any previous behaviour – sound an alert.”
In addition, it’s important to identify credentials that are being used outside the controlled environment and those that don’t exist within the secure vault. This goes further than simply capturing the data about credential use and sending alerts. An effective credential management system will automatically stop rogue credentials from being used or automatically rotate passwords when a credential is used in an unauthorised way.
This data can be correlated with output from a SIEM and other sources so that potential attacks can be mitigated. And, as the credential management system is storing data, it can be used with those other sources to identify and potentially locate attackers.
Worrall says many markets across Asia Pacific are compliance driven rather than risk driven.
“They’re doing what they’re asked to do,” he says. “We’ve seen that change first, here in Australia. It’s mimicking what we see in Europe and America. There’s a shift from being very compliance-driven around privilege to being more risk or security driven. Compliance will set the floor. But being compliant doesn’t mean you’re secure.”
In order to manage privileged credentials, Worrall says the first step is for an organization to understand their risk profile and what their attack surface is.
“The second step is to move from a project-based approach to a program-based approach, which is a new way of approaching enterprise security.”
Centralized credential management will become an effective layer in an organization’s security programs, enabling them to protect the heart of the enterprise.