Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

8/20/2019
10:00 AM
Tim Keeler
Tim Keeler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Who Gets Privileged Access & How to Enforce It

Let's begin by re-evaluating IT infrastructures to determine who has access to what, why, and when.

When we evaluate the most significant data breaches, such as the ones affecting Marriott, Microsoft Outlook, Equifax, the US Office of Professional Management, and Yahoo, each one has a common theme: stolen administrator credentials. In the past year alone, there has been a 98% increase in web-based email account compromises due to stolen credentials and 80% of hacking-related breaches are still tied to passwords, causing us to question what's falling short with existing identity and access management tools.

Historically, privileged access management (PAM) has focused on giving the least amount of privilege possible and eliminating privilege for users who don't need it. While that approach may have worked 20 years ago, hackers have found workarounds to steal credentials and move laterally across organizations to find and exfiltrate sensitive data. So, how do we modernize our approach to PAM? One of the first things we can do is begin re-evaluating IT infrastructures to determine who has access to what, why, and when.

Continuously Monitor for Credential Abuse to Prevent Lateral Movement
Credential abuse puts admin credentials at risk and can wreak havoc in your network. For example, when users in a company network get infected with a virus, they usually call the support desk for help. Often, though, the IT support person unintentionally puts his or her credentials at risk trying to help remedy the situation, offering the attacker an easy entryway to further compromise the network. Now the attacker can use the IT admin's credentials for legitimate and illegitimate purposes on the network, causing it to be hard to tell the difference.

Therefore, companies must carefully monitor logins by managing all types of authentication events in a centralized location. The collection and regular review of event logs plays a vital role in understanding regular versus abnormal network activity while also helping to identify and prevent attacks.

As another rule of thumb, domain administrators should only log in to domain controllers. Domain controllers in Active Directory hold accounts for everyone in the entire company and are ultimately seen as the box that holds the keys to the kingdom. If that domain controller gets compromised, the hacker gets the domains for everyone in the company.

Identify Levels of Access, Including Nested Administrator Groups
To defend against credential-based attacks, it's especially crucial to identify the various levels of IT admin access, determining who has what amount of privilege across the network. This is important because 94% of Microsoft vulnerabilities can be mitigated by simply turning off admin rights.

Tracking administrator credentials becomes a problem for companies that struggle to gain visibility into who — and where — their administrators are because every system on a company's network can have a different configuration for administrators.

This can be easier said than done, especially with nested groups found within Active Directory. The nested group structure means that there are groups that can also be members of multiple other groups. While nesting can be helpful, it can also create overlap and cause IT admins and security teams to lose visibility into what access is given and to whom. Some organizations have moved away from using multiple nesting groups altogether because of these management challenges.

When people create such groups, they don't understand the upstream challenge they have from an IT admin perspective. Admin rights start growing and increase exponentially over time. No one has real tools to understand and see how small changes can grant access to thousands of nested systems.

The risks of data exfiltration, breaches, and credential theft attacks dramatically increase when companies add users and admins into these nested groups, where they get full, uncompromised access to files, folders, and other systems that they don't need.

Rethink How Enterprises Limit IT Admin Access
There are many IT administrative functions within any given organization. IT plays a critical role in securing business continuity and operations across the organization. Administrators need to be able to reset passwords, update software, troubleshoot latency issues, answer help desk calls — the list goes on and on. However, when companies give IT administrators 24/7/365 access to most or all of their infrastructure, it only takes one compromise for an entire company's network to be breached. Hackers know this, and they are exploiting it quite successfully.

Making admin access more dynamic — granting it only when and where it's needed — prevents persistent access that can open the door for data breaches. Just-in-time administration is a new approach that allows system administrators to grant users privileges to resources for a limited period of time, in order for them to log in and address an issue, and then rescind that permission. To add another layer of protection, this just-in-time approach should ideally be paired with two-factor administration.

With credential-based attacks at an all-time high, we truly need a shift in our security strategy. Companies can gain the upper hand in cybersecurity defense once again by changing their perspective from not just who should have access to who, when, and for how long they should have access.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Improve the Patching Process."

Tim Keeler is the Founder and CEO of Remediant, a leading provider of privilege access management (PAM) software. Earlier in his career, Tim worked at Genentech/Roche from 2000 to 2012 and was a leader on the Security Incident Response Team. After that, Tim provided ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.