Best Practices For Monitoring And Controlling Privileged User Access

With data leaks and data breaches occupying headlines, businesses are compelled to invest more money in cyber security. However, while most companies don’t spare resources for keeping their security perimeters up to date, they often fall flat when it comes to protection from insider threats.

In many cases, your own employees have the best opportunity to compromise your sensitive data and sell it or use it to conduct fraud. Particularly dangerous are employees with privileged accounts that have the full control over their systems and legitimate access to restricted information. Such employees have all the tools necessary to misuse data and reliably cover their tracks. They can change or delete log files, disable monitoring software, or even claim malicious actions as a mistake if they get caught.

In many situations, data misuse by privileged employees are indistinguishable from their actual everyday activity. All of this makes data breaches by privileged employees very dangerous and hard to detect.

But insider threats are not the only danger of privileged accounts. Such accounts can be misused or compromised by both hackers and other employees inside your own organisation. Edward Snowden, for example, gained sensitive information by simply asking a fellow employee for a password from their privileged account. This means that the question of privileged account security is very broad and the only answer to it is to employ comprehensive control and monitoring tools and policies.

But how to monitor and control privileged users? Below we will look at the best practices for dealing with privileged accounts and try to give you a better understanding of privileged account security. By following these recommendations and building a holistic security system that takes into account both outsider and insider threats, you will be able to strengthen your overall cyber security posture and thoroughly protect your data.

Unique challenges of privileged account management stem from the fact that such accounts have unrestricted access to any internal system or application logs and other tools that can record their actions. The best way to approach such a problem is to employ external monitoring tools and strong access and password policies, in order to thoroughly protect your organisations from both potential insider and outsider threats.

Security Policy

Privileged user management and protection of privileged accounts should be an integral part of a security strategy for your company. Your formal security policy should reflect this commitment and serve to describe in all details access, termination and monitoring procedures, associated with privileged accounts.

• Principle of least privilege: First thing that you should do, in order to protect privileged accounts, is to limit their numbers. The best way to do this is to assign the least possible level of privileges to every new user by default, only elevating them if it is necessary. This way, only users that truly need it will have access to privileged accounts and you will know exactly who they are.
• Identify privileged accounts: It is important to clearly identify and consider every privileged account you have in your organisation. This will allow to conduct more precise risk assessment, get rid of the accounts that you don’t need and secure all the ones that you do need.

Password Security

Passwords are the most basic form of protection for any accounts.

Thorough password security and smart policies regarding keeping and changing passwords are the first step in good access control. There are a number of best practices that you should follow regarding password management and security.

• Prohibit password sharing: Sharing passwords between different accounts may allow employees with lower level of privileges to gain access to privileged accounts. Also, if such a password is compromised, it will compromise all of the accounts using it. Therefore, the first step in a good password security is to prohibit any password sharing and make sure that each account uses a unique password.
• Employ strong passwords: It is always tempting to use a simple password that is easy to remember. It can be anything from generic “123” or “admin,” to the name of employee’s pet. Such passwords can be very easy to guess for a perpetrator, therefore, it is important to make it a part of your security policy to have unique complex passwords for each privileged account.
• Protect password storage: If you are storing any passwords, make sure that files are thoroughly encrypted and never stored in a plain text. Keep in mind that certain applications will store passwords in plain text form. In this case, you need to take measures to protect those files, or start using more secure alternatives.
• Change default passwords. Automatically created generic administrative accounts will have generic passwords, that more often than not are public knowledge. By failing to change such passwords, you giving perpetrators free reign over your privileged accounts.
• Automatically change password. Changing passwords after a certain period of time can be a very good security practice. However, it can pose some inconvenience to the user, which is why they can forget to change password, put it off, or even decide to not do it at all. It is best to employ an automatic system that will force users to change their passwords once in a while. Automatically changing passwords can also be very useful for service accounts, where password change should be synchronised between several applications.

Access Security

However, there is more to access security than simply having a reliable password. For an effective privilege access management, it is paramount to employ proper authentication and termination procedures.

• Prohibit account sharing: Same as with password sharing, account sharing may allow users to gain privileges that they are not supposed to have. It is a security liability that should be avoided. Moreover, it may prevent you from clearly associating actions with a specific person, which in case of an insider attack may prevent you from finding a perpetrator.
• Employ secondary authentication: Additional authentication measures work as a safety net in case a password has been compromised and also allow to confirm the identity of the person trying to get access to the sensitive information. Therefore, secondary authentication is mandatory for privileged accounts. You can implement it in different ways, the simplest of which is to use smartphones or other devices. Larger companies may want to use more sophisticated token systems for a better protection.
• Employ one time logins: It is insecure to give permanent privileged permissions to users that do not need them on a permanent basis. If a user accesses sensitive data or system settings only occasionally, it is much better to give them one-time credentials that can be automatically terminated after they finish their job. This way you are making sure that the number of privileged accounts will stay limited, and that accounts that are no longer in use will be properly terminated.
• Develop termination procedure: Termination of unused accounts is the key part of privileged account management. When the employee leaves the company or moves to a different position, it is very important to disable their privileged access, otherwise, they can use it to conduct malicious actions.

Monitoring

All of the aforementioned practices are designed to control privileged user access and to prevent any malicious activity from happening, whether it will be something from within, or a hacker attack targeting privileged account.

However, the best way to detect data breaches and data misuse by a privileged account user is to employ a dedicated monitoring solution, specifically designed to give you a visibility into what your privileged users are doing.

• Monitor user actions: It is important to not only monitor user access to sensitive data, but also record everything user does with it. Such recordings do not only help to detect data breaches, but they also work as an effective warning for users not to misuse their credentials. There are several ways to record user actions, the most advanced of which is to make a full video recording of everything happening on a user screen. Many solutions also collect additional metadata to varying degrees that can be used to easily search such recordings.
• Clearly identify user: When monitoring user actions, make sure that they can be clearly associated with a particular person. This will help you immediately identify the perpetrator as soon as the breach is detected.
• Make sure that monitoring software is protected: Most privileged accounts are used either by IT specialists or simply tech-savvy users, that will have no trouble disabling monitoring for a brief period of time in order to cover their tracks. Therefore, it is important to employ a solution specifically designed with privileged user monitoring in mind. Such solutions often have sufficient protection with monitoring that cannot be turned off or paused.
• Use notification system: If your company has many privileged users, then it will be impossible to actually go through the footage manually in order to detect suspicious activity. While many solutions employ convoluted and often not very flexible notification systems, you still definitely should use one, if you ever want to successfully detect an attack. Often you are able to create your own set of notifications, allowing you to detect data misuse much more efficiently.
• Monitor actions of security personnel: Security of your organisation is maintained by your security specialist, but they are also require some supervision. It is best to employ monitoring tool with some logging capabilities, in order to make sure, that your security personnel has not misused data, collected during the monitoring.

Conclusion

As you can see from the list above, privileged accounts can be very hard and sometimes even expensive to deal with, especially if you previously taken no measures in this direction. When it comes to financial or personal information, monitoring and controlling privilege user access is a part of compliance requirements and becomes par for the course to the company.

However, not every privileged account with enough access and control to cause some serious damage is covered by compliance regulations.

Regardless of whether your company is required to control and monitor privileged accounts or not, following the best practices mentioned above will definitely strengthen your security and allow you to thoroughly protect your company from any threats associated with privileged accounts.

[The author Marcell Gogan is an Information Security Specialist at Ekransystem.com and loves writing about data management and cyber security.]