Michael Byrnes, Director – Solutions Engineering, iMEA, at BeyondTrust discusses types of privileged account that stand in the way of robust threat postures
Behind the headlines that tell of crippling cyber-incidents, lost business hours and tarnished brands, we often find a defeatist air. Technical teams, often because of glaring cybersecurity skills gaps, just don’t know what to do about the increasingly aggressive cybercriminal. This is especially the case amid the complexity of new-normal architectures in which visibility of IT assets and identities from the endpoint to the cloud (or clouds) has become a challenge.
But not everyone is taking the cyber-onslaught lying down. In the GCC, enterprises and governments are fighting back with everything they have. The United Arab Emirates (UAE) ranked fifth in the International Telecommunication Union’s (ITU) Global Cybersecurity Index (GCI) of 2020, issued in June this year. In the same Index in 2018, the country was placed 33rd. Saudi Arabia was second in 2020, having been 13th in 2018. These are impressive leaps by any standards and reflect governmental and private-sector efforts to boost awareness and equip technologists with the standards, tools, and expertise required to adopt more robust threat postures.
But even among the top-ranked cyber-combatants, work still needs to be done to optimise defenses against would-be attackers. One way to do this is to look at successful attacks and see what they have in common. In almost every breach event, a privileged account is a major link in the attack chain, so it should follow that the protection of privileged accounts, whether used by humans or machines, should be ‘job number one’ in any lucid security strategy. Indeed, in a region where regulatory compliance plays a starring role in corporate risk-management, the control and protection of network privileges is central to living up to legal obligations.
So given the implications of a privileged account being compromised — and in the face of the complex, de-centralised world of multi-cloud, remote work, and Shadow IT — we badly need properly categorised registries of everything in our IT domains. Privileged-access management (PAM) can help to reign in the assignment of credentials, but only when the whole environment, and its accounts, are understood. As part of the inventory-compilation process, all services, users, applications, vulnerabilities, configurations, and operating systems should be catalogued and classified according to sensitivity, ownership, geolocation, and other tags.
On the asset-discovery journey, here is a list of the most important privileged accounts to discover:
1. Domain admin accounts
These have access to every nook and cranny — your digital estate’s crown jewels. Administrator accounts are the keys to the kingdom and organisations should keep them, and the number of employees that have access to them, to a minimum.
2. Non-human automation accounts
Any account that accesses applications, operating systems, databases, services, network devices, or any other important asset for the purposes of data sharing can result in compromise, if one asset in the chain can be used for an authenticated ‘hop’ to others. Hops will continue until higher privileges can be captured. In most cases, shared accounts are unnecessary but convenient. Their persistence, however, can represent a large security hole, so they should always be placed under privileged-access management.
3. Management solutions
Any tool used to manage, monitor, configure or automate the environment should not use shared accounts. In keeping user access to these solutions on a one-to-one basis, organisations block a significant attack vector. All administrator accounts used to oversee and maintain applications, networks, and other software-based assets should be placed under access management, whether the admin work occurs on premises or in the cloud, and whether it is performed by employees, contractors, vendors, or auditors.
Media contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: editor@securitybuyer.com