Privileged accounts can no longer be ignored.
Every organization has privileged accounts. If you use computers, you have privileged accounts. When you install a server, you create a genesis account—the first account on the system and one that always has full access rights. And when you install an application on your server, you create a service account to use Administrator or Root for everything.
So here’s the issue: You have zero people using that system, yet you’ve already got two privileged accounts.
Then you set up all of the IT services and accounts necessary to maintain that server. Still no users, but now you’ve got dozens or hundreds of accounts with high-level access to the system. Then you add users.
Most organizations spend a lot of effort managing access at the user level: Identity Management, Access Management, Roles-based Access Control, Attribute-based Access Control, Provisioning, Access Certification, Multi-factor Authentication, Logging and Monitoring, Behavioral Analytics and Anomaly Detection—All of this is aimed at mitigating the risk of the users.
So what are you doing to mitigate the risk of the privileged accounts? These are accounts that—by definition—have higher levels of access, and therefore more risk. If your strategy is to tell yourself: “Oh, those are trained people, they know how to follow policy,” then you’re in trouble. Does it make sense that a higher risk population gets a lower level of attention?
Bad people prey on this idea. They depend on it. But don’t take my word for it. Look:
- “Privileged Accounts are on the critical path to success 100% of the time in every attack, regardless of the threat.” – CyberSheath
- “If an organization is not protecting the activity of all privileged accounts, they are leaving the window open for a damaging attack.” – IDC
- “What also has been common to such attacks was that they were usually performed by (or in the name of) users with elevated privileges, such as administrators.” – Kuppinger-Cole
- “If we can gain control of an account with admin rights, it’s game over, we can take the rest of their systems. We don't even need to know the password, we only need to impersonate that user. When I see multiple root or admin accounts giving us a large attack surface it makes our job easy.” – Novacoast’s RED Team
So, the good news: there are good tools, many of which you may already own, that address this problem. Tools that allow you to watch, restrict, grant rights appropriately. For most of us, the effort necessary to cover these vulnerabilities is very manageable. But for all of us, it is vitally necessary if you don’t want to make it easy for someone to take control of your network.