We need to talk about Privileged Users

One of the most important (yet underrated) entry point for attackers

Posted by Salvo Bertoncini on August 08, 2022 · 4 mins read

Privileged users are everywhere. Although you are not able to notice them, in an organization for each personal account there are from 3 to 4 Privileged Users.

Due to the large attack surface, if not properly managed, Privileged Users can lead to several attacks (almost 80%[1] of the last 2-years attacks were identity-related, and almost 80% of the attacks generally involve Privileged Accounts[2]). But what is a Privileged User? And how can we safely manage them?

Let's shine the light on Privileged Users.

    Table of Contents

What a Privileged User is

As per NIST[3], a Privileged User is a user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

They can be associated with human users (e.g., admin, root, super user) as well as non-human users (e.g., applications and machine identities).

Some examples of Privileged accounts accessed by humans are:

  1. Super user accounts
  2. Domain administrative account
  3. Local administrative account
  4. SSH key
  5. Emergency account
  6. Privileged business user

Some examples of Privileged accounts accessed by non-humans are:

  1. Application account
  2. Service account
  3. SSH key
  4. Secret

Other example of Privileged accounts are:

  1. Root accounts
  2. Wi-Fi accounts
  3. Firewall accounts
  4. Network equipment accounts
  5. Hardware accounts

As mentioned, Privileged accounts are everywhere. Organizations need to safely manage an always-growing number of them, beneath systems, applications, infrastructures, IoT devices, in cloud, on premise and hybrid environments.

For this reason, attacks can be perpetrated from inside and outside the organization. Exploiting credentials and gaining the access to the organization network, the attackers can move laterally or vertically, and even exfiltrate date, resulting in the interruption of the business. This pattern can be repeated endlessly.

How to manage Privileged Users and Accounts

First of all organizations need to safely store and manage the Privileged Credentials. They are usually stored with different encryption layers, and cannot be retrieved or accessed directly from human or non-human entities.

In fact, thanks to modern Privileged Access Management solutions, credentials can be retrieved only when requested via calls (e.g., via API), and only if the request is generated from a trusted source.

For security reason, a best practice is to periodically rotate credentials.

Moreover, sessions in which Privileged Accounts are involved have to be recorded. This means that every action performed by a Privileged Account is logged and can be audited at any time. Sessions are often isolated, which means that the end users never connect directly to the target systems.

Of course, MFA and SSO are a must also in this context.

Conclusion

We shed some light on the different Privileged Accounts you could face in an organization, and some features a robust solution should offer.

Those accounts are crucial, and engaged in almost every attack to an organization. For this reason, managing those accounts need to be a priority for each organization.

References

  1. [1] The State of Identity: How Security Teams are Addressing Risk, 2019
  2. [2] The Forrester Wave™: Privileged Identity Management (PIM), Q3 2018
  3. [3] NIST SP 800-172

Photo by Jefferson Santos on Unsplash.