Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/27/2020
02:00 PM
Tim Keeler
Tim Keeler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Standing Privilege: The Attacker's Advantage

The credential is a commodity and will continue to be breached. As a result, focus and spending must shift toward the access that the credentials provide.

The credential has become a hot commodity for hackers, with 74% of breached organizations admitting the breach involved access to a privileged account. In fact, the "Verizon Data Breach Investigations Report" (DBIR) found that out of all attacks, 29% of total breaches involved the use of stolen credentials, second only to phishing. Once a credential is compromised, privileged access management solutions are rendered useless.

The underlying reason behind this is the access credentials provide — specifically, the 24x7x365 always-on, high levels of access that administrator credentials allow, which can be used to move laterally across a network, steal sensitive data, or deploy ransomware. Unfortunately, the average privileged access management or endpoint privilege management solution was not purpose-built to address the risks associated with standing privilege. 

As a result, we discovered that, on average, in enterprises with over 15,000 devices, there are nearly 500 users with admin access to the average employee workstation.

Figure 1: The state of standing privilege in the average enterprise environment today (as seen by Remediant). (Source: Remediant)
Figure 1: The state of standing privilege in the average enterprise environment today (as seen by Remediant). (Source: Remediant)

 
How and Why Does Standing Privilege Get So Messy?
Privileges are typically in the form of group memberships or device-level permissions that allow the execution of privileged commands. Even if a user is not explicitly given access to a server or workstation, that user's domain or group-level permissions often allow access whenever that person needs or wants it.

Figure 2: How administrator privileges spread. (Source: Remediant)
Figure 2: How administrator privileges spread. (Source: Remediant)


When faced with an IT issue in the workplace, we look for and expect the fastest resolution so we can move forward with our work duties. In the world of permissions, this means access is being provided through groups to IT help desks and server administrators to ensure they can do their job effectively. Managing groups at a granular level becomes very complex very quickly, so admins always tend to have more access than they need. In addition, administrator rights change over time for a variety of reasons; attackers know this and use it to their benefit. The end result: Many security teams are left in the dark. They need to be more diligent when new members are added, and especially as help desk and administrator access is given.

This isn't the only way the amount of privileged access in an ecosystem changes. For example, old members who leave their teams or the company aren't always removed in a timely fashion, group memberships change, local accounts get added and removed, and the list goes on. In some cases, all of these are traps organizations fall into on a regular basis that ultimately result in an invisible sprawl of administrator access across an enterprise. Not only is 24x7x365 access unnecessary for employees, but, more importantly, it's available to an attacker using the average employee workstation as an entry point. If an attacker is able to phish their way into an employee's workstation, that person now has the proverbial "keys to the kingdom."

Addressing the Problem: Introducing Zero Standing Privilege
The reason our industry has failed miserably at addressing standing privilege is because we struggle to answer two simple questions: What admin credentials exist and have standing access? And, how do you protect them?  

Coined by Gartner, zero standing privileges (ZSP) is an emerging, reframed approach to privileged access management that addresses both questions.

If we agree that standing privilege is defined as accounts that have persistent privilege access across a set of systems, ZSP is the exact opposite. It is the purest form of just-in-time administrator access, ensuring that the principle of least privilege is enforced by granting, to authorized users, the privileged access they need for the minimum time and only the minimum rights that they need. This elimination of standing privilege through zero standing privilege is really a key inflection point in the understanding of privilege access today. The figure below outlines the risk exposure of an account with standing privileges versus an account in a ZSP environment:

A Normal Day for a Windows Administrators
Figure 3: Risk exposure of an account with standing privileges versus an account with zero standing privilege. (Source: Gartner)
Figure 3: Risk exposure of an account with standing privileges versus an account with zero standing privilege. (Source: Gartner)

 
To reach this goal of ZSP, begin by measuring the organization's standing privilege to understand what administrator credentials exist. This includes discovering and identifying persistent accounts across workstations and servers, as well as mapping out admin access on a system-by-system basis.

Once standing privilege is measured, it can be managed, and from there it is a phased approach to protecting an enterprise environment and achieving ZSP. Start by "stopping the bleeding" by preventing the creation of new rogue administrator accounts. It is critical that firms have the ability to do this across all types of systems (Windows, Mac, Linux) and all types of access (local, group, domain). Once the "bleeding" has stopped, it's time to determine which accounts are authorized and which accounts are not, and to what systems. Unauthorized access should then be revoked, ideally in bulk, to quickly mitigate one of the accounts being compromised.

The last step to achieving ZSP is to shift administrators into just-in-time mode that allows them to gain access to the system when they need to perform required tasks, but only for the right time frame and only to the right system(s). Access should be revoked once the work is complete and only provisioned back (limited to the right system for the right time frame) when needed again. 

ZSP is an inflection point in privilege management. It is encouraging to see the market has started to recognize standing privilege as a key risk that needs to be addressed and that vaulting secrets and rotating local admin passwords on critical servers are not sufficient. Attackers are targeting workstations as the low-hanging fruit and using the admin access available from those workstations to spread across networks.

The credential has become a commodity that will continue to be breached. As a result, the focus and spending must shift toward the access the credentials provide. As an industry, if we do not take a ZSP stance in our environments, stolen credentials will continue as the attacker's low-hanging fruit and continue contributing to 80% of all data breaches today.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "The Entertainment Biz Is Changing, but the Cybersecurity Script Is One We've Read Before."

 

Tim Keeler is the Founder and CEO of Remediant, a leading provider of privilege access management (PAM) software. Earlier in his career, Tim worked at Genentech/Roche from 2000 to 2012 and was a leader on the Security Incident Response Team. After that, Tim provided ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
CVE-2018-19942
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...