Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

8/20/2019
10:00 AM
Tim Keeler
Tim Keeler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Who Gets Privileged Access & How to Enforce It

Let's begin by re-evaluating IT infrastructures to determine who has access to what, why, and when.

When we evaluate the most significant data breaches, such as the ones affecting Marriott, Microsoft Outlook, Equifax, the US Office of Professional Management, and Yahoo, each one has a common theme: stolen administrator credentials. In the past year alone, there has been a 98% increase in web-based email account compromises due to stolen credentials and 80% of hacking-related breaches are still tied to passwords, causing us to question what's falling short with existing identity and access management tools.

Historically, privileged access management (PAM) has focused on giving the least amount of privilege possible and eliminating privilege for users who don't need it. While that approach may have worked 20 years ago, hackers have found workarounds to steal credentials and move laterally across organizations to find and exfiltrate sensitive data. So, how do we modernize our approach to PAM? One of the first things we can do is begin re-evaluating IT infrastructures to determine who has access to what, why, and when.

Continuously Monitor for Credential Abuse to Prevent Lateral Movement
Credential abuse puts admin credentials at risk and can wreak havoc in your network. For example, when users in a company network get infected with a virus, they usually call the support desk for help. Often, though, the IT support person unintentionally puts his or her credentials at risk trying to help remedy the situation, offering the attacker an easy entryway to further compromise the network. Now the attacker can use the IT admin's credentials for legitimate and illegitimate purposes on the network, causing it to be hard to tell the difference.

Therefore, companies must carefully monitor logins by managing all types of authentication events in a centralized location. The collection and regular review of event logs plays a vital role in understanding regular versus abnormal network activity while also helping to identify and prevent attacks.

As another rule of thumb, domain administrators should only log in to domain controllers. Domain controllers in Active Directory hold accounts for everyone in the entire company and are ultimately seen as the box that holds the keys to the kingdom. If that domain controller gets compromised, the hacker gets the domains for everyone in the company.

Identify Levels of Access, Including Nested Administrator Groups
To defend against credential-based attacks, it's especially crucial to identify the various levels of IT admin access, determining who has what amount of privilege across the network. This is important because 94% of Microsoft vulnerabilities can be mitigated by simply turning off admin rights.

Tracking administrator credentials becomes a problem for companies that struggle to gain visibility into who — and where — their administrators are because every system on a company's network can have a different configuration for administrators.

This can be easier said than done, especially with nested groups found within Active Directory. The nested group structure means that there are groups that can also be members of multiple other groups. While nesting can be helpful, it can also create overlap and cause IT admins and security teams to lose visibility into what access is given and to whom. Some organizations have moved away from using multiple nesting groups altogether because of these management challenges.

When people create such groups, they don't understand the upstream challenge they have from an IT admin perspective. Admin rights start growing and increase exponentially over time. No one has real tools to understand and see how small changes can grant access to thousands of nested systems.

The risks of data exfiltration, breaches, and credential theft attacks dramatically increase when companies add users and admins into these nested groups, where they get full, uncompromised access to files, folders, and other systems that they don't need.

Rethink How Enterprises Limit IT Admin Access
There are many IT administrative functions within any given organization. IT plays a critical role in securing business continuity and operations across the organization. Administrators need to be able to reset passwords, update software, troubleshoot latency issues, answer help desk calls — the list goes on and on. However, when companies give IT administrators 24/7/365 access to most or all of their infrastructure, it only takes one compromise for an entire company's network to be breached. Hackers know this, and they are exploiting it quite successfully.

Making admin access more dynamic — granting it only when and where it's needed — prevents persistent access that can open the door for data breaches. Just-in-time administration is a new approach that allows system administrators to grant users privileges to resources for a limited period of time, in order for them to log in and address an issue, and then rescind that permission. To add another layer of protection, this just-in-time approach should ideally be paired with two-factor administration.

With credential-based attacks at an all-time high, we truly need a shift in our security strategy. Companies can gain the upper hand in cybersecurity defense once again by changing their perspective from not just who should have access to who, when, and for how long they should have access.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Improve the Patching Process."

Tim Keeler is the Founder and CEO of Remediant, a leading provider of privilege access management (PAM) software. Earlier in his career, Tim worked at Genentech/Roche from 2000 to 2012 and was a leader on the Security Incident Response Team. After that, Tim provided ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18387
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
CVE-2019-18212
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-18213
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
CVE-2019-18384
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
CVE-2019-18385
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.