When we evaluate the most significant data breaches, such as the ones affecting Marriott, Microsoft Outlook, Equifax, the US Office of Professional Management, and Yahoo, each one has a common theme: stolen administrator credentials. In the past year alone, there has been a 98% increase in web-based email account compromises due to stolen credentials and 80% of hacking-related breaches are still tied to passwords, causing us to question what’s falling short with existing identity and access management tools.
Historically, privileged access management (PAM) has focused on giving the least amount of privilege possible and eliminating privilege for users who don’t need it. While that approach may have worked 20 years ago, hackers have found workarounds to steal credentials and move laterally across organizations to find and exfiltrate sensitive data. So, how do we modernize our approach to PAM? One of the first things we can do is begin re-evaluating IT infrastructures to determine who has access to what, why, and when.
Continuously Monitor for Credential Abuse to Prevent Lateral Movement
Credential abuse puts admin credentials at risk and can wreak havoc in your network. For example, when users in a company network get infected with a virus, they usually call the support desk for help. Often, though, the IT support person unintentionally puts his or her credentials at risk trying to help remedy the situation, offering the attacker an easy entryway to further compromise the network. Now the attacker can use the IT admin’s credentials for legitimate and illegitimate purposes on the network, causing it to be hard to tell the difference.
Therefore, companies must carefully monitor logins by managing all types of authentication events in a centralized location. The collection and regular review of event logs plays a vital role in understanding regular versus abnormal network activity while also helping to identify and prevent attacks.
As another rule of thumb, domain administrators should only log in to domain controllers. Domain controllers in Active Directory hold accounts for everyone in the entire company and are ultimately seen as the box that holds the keys to the kingdom. If that domain controller gets compromised, the hacker gets the domains for everyone in the company.
Identify Levels of Access, Including Nested Administrator Groups
To defend against credential-based attacks, it’s especially crucial to identify the various levels of IT admin access, determining who has what amount of privilege across the network. This is important because 94% of Microsoft vulnerabilities can be mitigated by simply turning off admin rights.
Tracking administrator credentials becomes a problem for companies that struggle to gain visibility into who — and where — their administrators are because every system on a company’s network can have a different configuration for administrators.
This can be easier said than done, especially with nested groups found within Active Directory. The nested group structure means that there are groups that can also be members of multiple other groups. While nesting can be helpful, it can also create overlap and cause IT admins and security teams to lose visibility into what access is given and to whom. Some organizations have moved away from using multiple nesting groups altogether because of these management challenges.
When people create such groups, they don’t understand the upstream challenge they have from an IT admin perspective. Admin rights start growing and increase exponentially over time. No one has real tools to understand and see how small changes can grant access to thousands of nested systems.
The risks of data exfiltration, breaches, and credential theft attacks dramatically increase when companies add users and admins into these nested groups, where they get full, uncompromised access to files, folders, and other systems that they don’t need.
Rethink How Enterprises Limit IT Admin Access
There are many IT administrative functions within any given organization. IT plays a critical role in securing business continuity and operations across the organization. Administrators need to be able to reset passwords, update software, troubleshoot latency issues, answer help desk calls — the list goes on and on. However, when companies give IT administrators 24/7/365 access to most or all of their infrastructure, it only takes one compromise for an entire company’s network to be breached. Hackers know this, and they are exploiting it quite successfully.
Making admin access more dynamic — granting it only when and where it’s needed — prevents persistent access that can open the door for data breaches. Just-in-time administration is a new approach that allows system administrators to grant users privileges to resources for a limited period of time, in order for them to log in and address an issue, and then rescind that permission. To add another layer of protection, this just-in-time approach should ideally be paired with two-factor administration.
With credential-based attacks at an all-time high, we truly need a shift in our security strategy. Companies can gain the upper hand in cybersecurity defense once again by changing their perspective from not just who should have access to who, when, and for how long they should have access.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Ways to Improve the Patching Process.”
Tim Keeler is the Founder and CEO of Remediant, a leading provider of privilege access management (PAM) software. Earlier in his career, Tim worked at Genentech/Roche from 2000 to 2012 and was a leader on the Security Incident Response Team. After that, Tim provided … View Full Bio