A Policy Of All Privileged Accounts – Overkill Or Common Sense?

An attacker accessing a privileged account doesn’t begin with a root or administrator account. An attack on a privileged account usually starts with the theft of an average user’s credentials. Passwords are the starting point for fraud, where bad actors disguise themselves as legitimate users. They construct a fraudulent misrepresentation to accomplish their nefarious work.

How badly can a breach of a privileged account jeopardize an organization? Well, at the very least, it can make them look unprepared and irresponsible to their investors and customers. Worse yet, private customer data or corporate secrets could be stolen, all because an attacker obtained an employee’s username and password.

Expanding Security Perimeters and Shrinking Skilled Labor Resources

Some security teams think the idea of separate controls for super-users, as opposed to the rest of the workforce, creates security fragmentation and resource waste. Cybersecurity, along with myriad business sectors, has been woefully short of qualified professionals. The daily challenge has been to manage the resources on hand while trying to devise the strongest and most comprehensive approach to identity-based access control. Privileged access management is a core cybersecurity discipline encompassing many account types, like domain and database administrator accounts, service accounts, etc. Today’s rapidly expanding security perimeters highlight the need to consider the wisdom of treating every account as privileged to maintain control of user access.

Support for an All-Privileged Accounts Policy

All organizations are aware of the acceleration in phishing attacks and credential harvesting, with most experiencing some form of attack weekly. In 2022, there was a 61% increase in the rate of phishing attacks compared to 2021, with BEC compromise campaigns on the rise.

Attackers typically target an average user’s account, hoping that an unsuspecting victim will take the bait and make a fateful click that installs malware. From there, credential harvesting can be easy pickings, and asset exposure and compromise are inevitable. With every account a possible portal for invasion, it would seem prudent to appropriate the stance that all accounts should be considered privileged, with policies and security measures in place for that level of management across the board.

How Should an Organization Apply the Concept of Trust?

In light of spiraling endpoint and BEC cybercrime, today’s enterprise must eradicate any outdated and naïve protocols which assume and extend trust that heightens attack risk. A zero-trust model is essentially a mandate for eliminating excess privileges for asset access. A user ID and password are insufficient passports given the scope and complexity of today’s threat landscape.

Organizations should extend zero-trust policies to all employees and deploy behavioral analytics to identify anomalies around all access requests. Account compromise can start anywhere; human resources, legal and other non-system administration accounts. With the sophistication of today’s cybercriminals, there are simply no areas within a company that have unexploitable accounts. The reality is anyone with online or physical access, and even those handling credit cards within a point-of-sale system, can pose a threat.

Managing Privileged Accounts and the User Experience

One might ask, doesn’t treating all user accounts as privileged add complexity for IT and security teams? The obvious answer is yes; however, there is far more complexity and resource waste in handling a disruptive breach and recuperating from reputational damage. When privileged account management is deployed, there may be a small learning curve for users facing new limits and restrictions. However, when correctly addressed, with ongoing employee training in the rationale and practices for zero-trust, least-privilege policies will be accepted and followed.

There are a number of best practices and protocols that should be deployed for secure privileged access. In addition to enforcing strict password management and multifactor authentication across all accounts, it’s a wise practice to limit the number of privileged accounts and disallow the sharing of admin accounts. Privileged access requires accurate inventory updates with documentation of any changes and account additions, as well as ongoing review of access rights and risk assessments. The application of a least-privilege, zero-trust model and the capability for real-time monitoring of privileged user activities will create a robust defense against the targeted attacks of cybercriminals.

Today’s privileged access solutions are making it easier for IT and security teams to onboard and offboard users, easily control and limit access to resources and even automatically ensure server and database resources are completely separated from direct user access. Rather than overkill, a policy of all privileged accounts is just prudent, common sense cybersecurity.