Back to Cybersecurity Basics – Part 5: Managing User Privileges
IT and Cyber Security means many different things to many different people. One size definitely doesn’t fit all, and different companies have their own individual challenges to resolve.
The larger a company gets the more complex it’s security requirements become. Despite some anomalies, one challenge that grows with a company is the challenge of managing user privileges and access to privileged accounts, and this is a favourite weakness for hackers to exploit.
Why? because it’s the quickest and easiest way for hackers to get at sensitive data.
In fact, according to a survey conducted by Thycotic at the 2017 BlackHat Conference in Las Vegas, 32% of hackers agreed with this statement.
The first step to addressing a problem is to admit that you have one in the first place and a lot of organisations are starting to realise that this is a real problem that needs addressing.
Firstly, you need to understand where your main issues lie. Once you understand this you can then decide how to tackle the problem/s and in what order of priority.
There are many issues associated with user privileges. These can be anything from;
- Employees given elevated privileges to do certain ad-hoc tasks but then not having them revoked.
- Difficulty in keeping track of who has access to what systems and data
- Contractors being given elevated privileges to do the work they need to, but again not having these revoked in a timely manner
- Keeping track of User Privileges as users change roles within an organisation
- Employees who have access to privileged accounts using simple passwords, which are saved locally and not rotated often enough or at all.
- Privileged users with unrivalled access to systems and data leave the organisation without IT knowing what data/information they have access to. And therefore, what to revoke.
These are just some of the most common issues associated with managing user privileges, however, there are more concerns.
The risks associated with not managing user privileges well can lead to:
- Misuse of privileges
- Increased hacker attack surface
- Circumvention of existing security controls
So what can you do about the problem?
As the saying goes ‘there is more than one way to skin a cat’, and the same goes for managing user privileges and access to privileged accounts.
The holy grail for every organisation is least privilege, however because of bad practice in the past working towards this isn’t something that can happen overnight, but the benefits of getting it right can improve an organisation’s security posture greatly.
‘Organisations should determine what rights and privileges users need to effectively perform their duties and implement a policy of ‘least privilege’.
UK National Cyber Security Centre
There are several technologies available that can help you work towards least privilege. A Privileged Account Management solution will help you increase the complexity of your privileged account passwords and rotate them regularly and an Access Rights Management solution will allow you to give employees access to the right information at the right time.
Both products, of course, cost money, however, there are certain things you can do to help yourselves. Be aware though that these may have a more severe impact on a company’s budget when you consider the time taken to manage these processes. In some cases, managing these processes effectively means employing additional resource.
- Manage Accounts from creation, through their lifecycle to revocation. Build processes that address account revocation when users leave or change roles.
- Ensure policies are in place for password creation and rotation. There needs to be a balance between usability and security.
- Limit User Privileges. Users should only be given access to systems and information that they need to do their jobs.
- Limit the number and use of privileged accounts. If a privileged account is no longer in use, ensure this is closed down. Make sure that access and
the use of privileged accounts are reviewed regularly. - Monitor User Activity ensuring that it is monitored on a regular basis. Any anomalies should be flagged up and addressed at the first possible opportunity.
Again, there is technology available that can help streamline this process. - Educate users on acceptable account use.