Subscribe
About

Bring in the cavalry

The answer to vulnerability caused by an expanding universe of privileged users lies in the management of privileged access.

Michael Horn
By Michael Horn, Security business unit manager, CA Southern Africa.
Johannesburg, 27 Jul 2016

In my first Industry Insight, I discussed how privileged users present a key vulnerability for corporate IT systems and the data they contain, because hackers can use their credentials to penetrate the whole system eventually. The challenge, I noted, is that the universe of privileged users has grown enormously, thus increasing the risk.

The solution lies in privileged access management, a formal set of processes and technologies for managing the special needs of privileged accounts, "including their provisioning and life cycle management, authentication, authorisation, password management, auditing, and access controls", in the words of Wikipedia.

There are three key steps through which privileged access management can help stop hackers from gaining access.

Step 1: Preventing unauthorised access

To provide strong authentication, set up a network-based gateway through which all privileged access is channelled. In addition, such a gateway would have to integrate with existing identity management infrastructure, and thus should support links to existing identity stores, like Active Directory, LDAP directories or even RADIUS or TACACS+ in some environments. While the system can, and should, support local authentication, chances are the company will already have a well-established identity store in place, and it should be leveraged.

The existing identity management system will already define who the authorised users are, and what roles and permissions they have. It thus provides the basis for giving privileged access. However, it is not sufficient. Privileged access is a key vulnerability, so it should be protected by multifactor authentication. This will make it much harder for a hacker to gain access to the corporate systems.

Other techniques to mitigate the risk of unauthorised access would be to restrict system access based on the IP address from where the user is attempting to log in, or the time of day.

Another tactic would be to protect the credentials used to access systems. The best option is for the privileged access management system to provide a credential safe in which passwords and key pairs can stored in an encrypted format.

This credential safe has to be able to manage credentials actively, interacting with systems to change passwords based on standards appropriate to the level or risk. Automating this process will decrease both security and operational risks; when combined with privileged use single sign-on, a high level of security can be achieved because it is possible to provide a user with access to a system without providing access to the relevant credentials. After all, if a user doesn't have the credential, he or she can't steal it, or be tricked into revealing it!

Step 2: Limit privilege escalation, reconnaissance and lateral movement

In many networks, authentication tends to equal access control; once a user has logged into the network, he or she has access to everything on the network. This is obviously great news for hackers.

Privileged access is a key vulnerability, so it should be protected by multifactor authentication.

Advanced capabilities like single sign-on for privileged users can help to put a stop to this. Single sign-on is based on least-privilege access control, or zero-trust access control. It separates authentication and system access, so users only receive visibility of those systems and resources as defined by their privileges. Thus, if Worker A requires access to a certain server or resource class, then he or she should be restricted to that.

In addition, by brokering sessions between the privileged access management system and the resource management system, it is possible to limit the authority a user has over the resource, further restricting the ability of an illicit user to escalate privileges or move around the network.

Step 3: Monitor, record and audit activity

If steps one and two work, then a hacker would have limited or no success in penetrating the system. However, security depends on taking all contingencies into account, so step three adds an additional safeguard. It acts as a deterrent, and provides significant benefits in the event of a breach.

The simple knowledge that all activity is being recorded and analysed constitutes a powerful deterrent both to malicious activity and innocent but dangerous exploration of systems. An exhaustive logging and alert system will provide system administrators, relevant managers and even auditors with an early warning signal that something potentially concerning is happening. In this way, policy violations and breach attempts are flagged immediately, enabling rapid response.

In addition, the analysis of logs in the context of other system activity will yield further clues to suspect events, prompting investigation in advance of a breach actually occurring.

It's worth mentioning here that because shared administrative accounts are so commonly used, the system needs to be able to attribute actions to specific individuals in order to achieve regulatory compliance.

Session recording has a number of other benefits. One is allowing administrators to perform a detailed review of any mistakes they make, speeding up troubleshooting. For example, if an update or configuration change was performed on a previous shift, it can be time-consuming and difficult for the next shift to determine exactly what happened should a problem manifest itself. Access to immediate playback of what happened can be helpful. Such a recording can also be useful for training, by demonstrating how an error occurred and what the preferred remedial action is.

Finally, in the worst-case scenario of an actual breach, session recording and logs play a vital role in determining exactly what was done to a system, what information was stolen, etc. With this kind of forensic information on hand, it is much easier to perform an accurate damage assessment, and ultimately obtain conviction of the hackers. It also provides valuable information that can be fed back into the security procedures, and so strengthen defences against future attack.

Share