Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

10:00 AM
Tim Keeler
Tim Keeler
Connect Directly
E-Mail vvv

Who Gets Privileged Access & How to Enforce It

Let's begin by re-evaluating IT infrastructures to determine who has access to what, why, and when.

When we evaluate the most significant data breaches, such as the ones affecting Marriott, Microsoft Outlook, Equifax, the US Office of Professional Management, and Yahoo, each one has a common theme: stolen administrator credentials. In the past year alone, there has been a 98% increase in web-based email account compromises due to stolen credentials and 80% of hacking-related breaches are still tied to passwords, causing us to question what's falling short with existing identity and access management tools.

Historically, privileged access management (PAM) has focused on giving the least amount of privilege possible and eliminating privilege for users who don't need it. While that approach may have worked 20 years ago, hackers have found workarounds to steal credentials and move laterally across organizations to find and exfiltrate sensitive data. So, how do we modernize our approach to PAM? One of the first things we can do is begin re-evaluating IT infrastructures to determine who has access to what, why, and when.

Continuously Monitor for Credential Abuse to Prevent Lateral Movement
Credential abuse puts admin credentials at risk and can wreak havoc in your network. For example, when users in a company network get infected with a virus, they usually call the support desk for help. Often, though, the IT support person unintentionally puts his or her credentials at risk trying to help remedy the situation, offering the attacker an easy entryway to further compromise the network. Now the attacker can use the IT admin's credentials for legitimate and illegitimate purposes on the network, causing it to be hard to tell the difference.

Therefore, companies must carefully monitor logins by managing all types of authentication events in a centralized location. The collection and regular review of event logs plays a vital role in understanding regular versus abnormal network activity while also helping to identify and prevent attacks.

As another rule of thumb, domain administrators should only log in to domain controllers. Domain controllers in Active Directory hold accounts for everyone in the entire company and are ultimately seen as the box that holds the keys to the kingdom. If that domain controller gets compromised, the hacker gets the domains for everyone in the company.

Identify Levels of Access, Including Nested Administrator Groups
To defend against credential-based attacks, it's especially crucial to identify the various levels of IT admin access, determining who has what amount of privilege across the network. This is important because 94% of Microsoft vulnerabilities can be mitigated by simply turning off admin rights.

Tracking administrator credentials becomes a problem for companies that struggle to gain visibility into who — and where — their administrators are because every system on a company's network can have a different configuration for administrators.

This can be easier said than done, especially with nested groups found within Active Directory. The nested group structure means that there are groups that can also be members of multiple other groups. While nesting can be helpful, it can also create overlap and cause IT admins and security teams to lose visibility into what access is given and to whom. Some organizations have moved away from using multiple nesting groups altogether because of these management challenges.

When people create such groups, they don't understand the upstream challenge they have from an IT admin perspective. Admin rights start growing and increase exponentially over time. No one has real tools to understand and see how small changes can grant access to thousands of nested systems.

The risks of data exfiltration, breaches, and credential theft attacks dramatically increase when companies add users and admins into these nested groups, where they get full, uncompromised access to files, folders, and other systems that they don't need.

Rethink How Enterprises Limit IT Admin Access
There are many IT administrative functions within any given organization. IT plays a critical role in securing business continuity and operations across the organization. Administrators need to be able to reset passwords, update software, troubleshoot latency issues, answer help desk calls — the list goes on and on. However, when companies give IT administrators 24/7/365 access to most or all of their infrastructure, it only takes one compromise for an entire company's network to be breached. Hackers know this, and they are exploiting it quite successfully.

Making admin access more dynamic — granting it only when and where it's needed — prevents persistent access that can open the door for data breaches. Just-in-time administration is a new approach that allows system administrators to grant users privileges to resources for a limited period of time, in order for them to log in and address an issue, and then rescind that permission. To add another layer of protection, this just-in-time approach should ideally be paired with two-factor administration.

With credential-based attacks at an all-time high, we truly need a shift in our security strategy. Companies can gain the upper hand in cybersecurity defense once again by changing their perspective from not just who should have access to who, when, and for how long they should have access.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Improve the Patching Process."

Tim Keeler is the Founder and CEO of Remediant, a leading provider of privilege access management (PAM) software. Earlier in his career, Tim worked at Genentech/Roche from 2000 to 2012 and was a leader on the Security Incident Response Team. After that, Tim provided ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...