Privileged user and local admin accounts are generally used to install software/hardware, reset passwords for others, access sensitive data, make changes in IT infrastructure systems, and log into machines in an environment.
Most privileged accounts are easy to identify. For example, managers, system admins, and IT/security staff typically have the power to access and affect much more than the average employee. With this in mind, it’s natural to get tunnel vision and forget how many users in your environment have elevated or even critical access levels.
For example, access such as that granted by a local admin account is often forgotten, but employees who retain administrative rights to their workstations are in fact, privileged users too. Elevated rights may give these users the ability to make configuration changes, add and remove applications, and execute programs. A potential attacker can gain a lot of access for a little effort by compromising these accounts in your network.
This elevated level of account permissions makes lower-level privileged user account credentials attractive assets to target in social engineering and phishing schemes. Not only are they frequently forgotten or de-prioritized by organizations, but they are often run by users with less security expertise than accounts with higher levels of administrative access.
While we’ve established that local admin and privileged user accounts are high-value targets for cybercriminals looking to gain access to a system efficiently, risks can originate from within an organization as well. This is, of course, especially dangerous if the threat is coming from a user with privileged access.
- 34% of data breaches are initiated by an insider threat (disgruntled employee, deliberate insider espionage, or simply poor security hygiene)
- 33% of reported incidents are related to privilege misuse
- 20% of breaches are caused by password misuse
Privileged User Training and Privileged Account Best Practices:
Now that you understand what this type of access means and the threats it can pose, let’s dive into some privileged user training and best practices you can implement to mitigate risks from within or outside of your organization.
Automated governance is simply a privileged access management (PAM) system or tool. A PAM tool would be used to elevate user rights only when specifically needed and provides auditing and logging features as well. There are many different types of PAM solutions, but their purpose is to manage user privileges or the process of elevating rights.
These systems also usually have an approval component that serves to prevent credentials from being elevated unbeknownst to anyone else in the network. This serves as a failsafe in the event an attacker uses a compromised account to escalate its privileges.
General Security Training
As we often say, while people can be a security program’s greatest weakness, they can also become a valuable asset if we take the time to train and educate our users.
Providing regular training for users in your network doesn’t just further educate your staff, but it maintains an emphasis on security from top to bottom in your organization.
Staff members who have recently undergone training will more commonly have basic security practices in mind and are less likely to stumble into common pitfalls that hackers use to break into lower-level accounts. Remember, a breached user account with local permissions can be a highly valuable target for a hacker and just as dangerous to your organization.
Privileged User Training
Given that these accounts are such promising targets, privileged user training or privileged access management training is key for users who have elevated privileges. This type of training goes beyond the foundational security training meant to be distributed to an entire office and instead focuses on educating the user on their elevated rights and how to exercise an appropriate level of caution given their greater security responsibility within the program.
Users should only have permissions for things they absolutely need access to.
Training users is one thing, but keeping access to a bare minimum is one of the best ways to minimize the damage a threat actor can cause or any upward movement they might pursue if they do manage to find a way in.
If you’re not already, be sure to enforce a least privilege policy throughout your entire organization.
If you need a quick refresher on general password best practices, we have a resource that goes over some do’s and don’ts to keep in mind when creating a password. One of the best ways to keep track of and generate highly effective passwords, however, is a good password manager. We’ve also written about a few of these to save you some precious research time.
While these best practices are crucial to protecting your accounts, there is more you can do where privileged user accounts are concerned. Here are a few points to keep in mind:
- Always use Multifactor Authentication (MFA) wherever applicable
- Keep an inventory of all privileged accounts and who can access them
- Remember to consider things like shared passwords that a supervisor might leave with someone else before going out of town (does that person retain access after the supervisor has returned?)
- Separate credentials for accounts with elevated rights/system administration, etc. Your day-to-day work account shouldn’t need privileged access.
- Change passwords periodically to limit ex-user access
- Note: This is especially important if you at all suspect you may face retribution from a disgruntled employee—either currently or previously employed. Steps should be taken preemptively, especially if you suspect that a user might attempt to sabotage your network on their way out.
As indicated in our advice on passwords, it’s important to review user permissions in general with regularity. Performing periodic audits to log and track who has access to what and limit the occurrence of unnecessarily elevated privileges is key to staying on top of your least privilege policy.
You should not expect the users in your network to remember to communicate with you about access that is no longer needed. Instead, implement a scheduled system for keeping track of this information, and be sure to keep those records up to date.
Lastly, it’s important to establish and enforce policies that clearly outline the expectations your organization and its security advisors have for the users in your network. One of the best examples of this is the creation and enforcement of an acceptable use policy (AUP).
Expectations around public network usage, social media, accessing restricted information, modifying passwords and access data, and more should be outlined in your AUP. In addition, the agreement should always be signed and understood by the user before handing over network access.
The agreement should be maintained to reflect the most recent updates to your security infrastructure and business operations, and serves to limit personal use of company resources, protect the organization against legal action, and (most importantly where we’re concerned) help protect your data from threats.
While it’s true that local admin accounts and users with elevated access are high-value targets for attackers, we shouldn’t allow this information to strike fear or panic. As with so many other topics in the information security world, understanding where your vulnerabilities lie and focusing efforts on protecting your most valuable assets is key. If you need help with anything related to protecting privileged accounts or training privileged users, don’t hesitate to reach out. We’re always happy to help where we can!