Privileged accounts represent a major vulnerability for all networks and systems. If a hacker can compromise a privileged account they can do a lot more damage than if a regular account is compromised.
So what do you need to do to protect those accounts? Note that privileged accounts exist at the operating system level (Windows, Mac, Linux), at the application level (Adobe Cloud, Office 365), at the network level (Cisco firewalls) and at other levels as well.
Here are some specific, operational tips:
- Maintain an up-to-date inventory of all privileged accounts. Be sure to inventory accounts from critical Active Directory groups, such as Domain Admins, as well as *nix servers root accounts. But also remember to include system admins for your databases, business applications like SAP and other high-risk applications, and network devices like firewalls, routers and phone switches. The inventory should identify the owner of each privileged account, the system component it is associated with and other relevant information. Keep your inventory of privileged accounts updated .
- Do not allow admins to share accounts. Make administrators accountable for their actions by personalizing their privileged accounts. Use the default administrator, root and similar accounts only when absolutely necessary; it is better to rename or disable them.
- Minimize the number of personal privileged accounts. Ideally, each admin should have only one personalized privileged account for all systems.
- Create a password policy and strictly enforce it. Follow password best practices such as changing default passwords, avoid hard coding passwords, change passwords if they may be compromised or if a staff member levels, don’t store them unencrypted, etc.
- Use strong multi-factor authentication in addition to passwords
- Limit the scope of permissions for each privileged account. Many privileged accounts have no limits; they have full access to everything. To minimize risk, you should enforce two key principles: separation of duties, which means that no employee can perform all privileged actions for a given system or application, and least privilege, which means that employees are granted only the bare minimum privileges needed to perform their jobs.
- Use privilege elevation best practices. When users need additional access rights, they should follow a documented request and approval process, either on paper or using a ticket in a privileged access management system. Upon approval, elevate the user’s privileges only for the time period required to perform the specified task. Similarly, IT admins should use their privileged accounts only when they need the elevated permissions for a specific task; they should use their regular accounts otherwise.
- Monitor and log all privileged activity. Be vigilant about what actions privileged users are taking by using a variety of logging and monitoring techniques.
- Extend your privileged access protection past the firewall. Don’t forget about accounts associated with social media, SaaS applications, partners, contractors and customers; they should also be protected according to your privileged account management policy.
- Analyze the risk of each privileged user. Continually use risk assessment to assess the danger each privileged user poses and focus on investigating and securing the most risky ones first.
- Review privileged access rights at appropriate intervals (at least once a month) and regularly review privileged permissions assignment. Document all changes in detail.
- Educate users. Give your staff the information they need to succeed, and be sure to update them about policies and procedures whenever there is a change to their daily routine. Everyone — including not just admins but all users — should know how to properly manage and use their privileged credentials.
- Document your account management policies and practices. Last but certainly not least, make sure your rules and processes are explicitly written down and signed by management, so everything is clear and enforceable.
While this will not guarantee success, it will definitely improve the odds.