Privileged Access Management

We also need to pay special regard to privileged access management. Privileged access management refers to the management of our accounts that have unusual or elevated access to resources. So we want to invest more time and energy into monitoring the use of these. So the key business driver for privileged access management is trying to reduce the risk of malicious users, people misusing their privileges. This can be deliberate or the inadvertent misuse of privileges. Something that you will see is organizations where the domain administrators have domain admin accounts, and they use those domain admin accounts as a day to day account for system access. And this is really poor practice. This is not something we should be doing.

We should have a day to day non-privileged account, and when we need to perform privileged functions, we use the elevated account with elevated privileges to perform those tasks. In Linux, we see the use of the superuser command sudo to perform this. In Windows we have the runas command, where we can run individual commands at a higher level if we need to. Graphically, in Windows, we can right-click on files or executables, and you can run as administrator, which is a very basic way of elevating privileges. What we should not do day to day is use our elevated, our privileged accounts for normal day to day operations.

If we have an attack, if we have a zero-day ransomware attack, the use of a domain admin account can be pretty toxic. It can result in huge portions of the network being taken down, being taken offline. There are tools that we can use to help manage privileged access management. And, in fact, standards like PCI DSS and Sarbanes-Oxley require us to have some degree of control and management of these privileged accounts. NIST Special Publication 800-53, COBIT and ITIL all have provisions and guidance on the use and management of privileged user accounts. The NIST document is free of charge, available on their website. ITIL and COBIT are available online as well. And there are products like CyberArk that help manage privileged accounts.

A SIEM system can also help with this in terms of logging and notifying when particular types of function are used. The type of privileged accounts that we’re talking about are typically accounts like root, which is Linux or Unix administrator accounts. In the Windows world, we have the administrator, the local administrator, domain administrator, and enterprise administrator. For databases, we see SA, SQL Administrator. And for Oracle, the Oracle account. There will be a variety of these privileged accounts within your organization. Individual line of business systems will have their own administrator accounts. We need to make sure, as far as is possible, we’re protecting them. Some of the dangers that surround these privileged accounts include accounts like the backup account.