Privileged Access: The Root of Your Next Breach?

By Sean Stanton, Senior Security Analyst on Mar. 24, 2015 View Comments

anthem-blue-cross-logo3The recent cybersecurity breach at Anthem, Inc. has been classified as one of the largest breaches ever of customer information. Despite Anthem’s status as a healthcare powerhouse with over $2.6 billion in revenue last year, it only took one privileged account to introduce a security breach that affected 80 million customers.

Organizations that have experienced a security breach have most likely accrued countless unanticipated costs associated with breach containment, crisis management, reputational damage, investigations and forensics, customer compensation, damaged system replacements, lawsuits and other penalties. With the proliferation of recent data breaches, organizations cannot afford to avoid securing one of their most powerful assets: the privileged user.

A privileged user is a user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. These security-relevant functions vary but could include activities such as: key management, account management, network and system administration, database administration, and web administration. In Anthem’s case, once the privileged users’ credentials were compromised, there was no way (including encryption) to stop the attack. The rest is history. 

Privileged accounts pose more risk to organizations because they can breach personal data, complete unauthorized transactions, cause denial-of-service attacks (DOS), attempt to make a machine or network resource unavailable to its intended users, or alter audit trails.

Could your organization be susceptible to the same type of breach? There are several risks and recommendations to consider when it comes to assessing whether or not your organization could be susceptible to a priveleged access breach:

1. Is there a formal process to manage priveleged access rights?

If your organization does not have a formal IT Risk Management process to manage privileged access rights, then you’re even more susceptible to a security breach. It’s recommended that the privileged access rights associated with each system or process be identified prior to assigning privileged access rights to users based on a “need- to-know” basis that is commensurate with job function. Privileged access should be reviewed regularly in order to verify that the allocated access is appropriate in relation to a user’s responsibilities. Any changes in the privileged user’s job functions or business reasons should prompt associated access review, and any excessive access rights should be removed promptly.

2. Do your systems require strong passwords for all priveleged access?

The system should require strong passwords for all privileged access and should require password updates on a regular basis. There are many privileged accounts that come with a default user name and password that could be considered common knowledge outside of the organization (such as vendor-set passwords), or at least searchable on Google.  Passwords should be changed to require a minimum of at least seven characters consisting of both numeric and alphabetic characters. Even strong passwords should be updated on a regular basis to reduce the risk of too many individuals knowing the passwords, including individuals that have left an organization.  Many companies don’t stop just there; some adopt multi-factor authentication technologies that do not only require passwords, but also incorporate the use of tokens and biometrics.   

3. Does your organization have the capability to monitor the actions performed using priveleged access?

In the Anthem example, ultimately the breach was able to be contained once an administrator noticed that his credentials had been compromised. This is why it is essential that your organization has a process for monitoring privileged access and alerting the appropriate stakeholders of changes. 

Your organization should monitor transactions such as:

  • Log-ins to priveleged accounts
  • Activities that took place in concurrent sessions
  • The elevation to priveleged access (including traceability to the user account that performed the elevation)
  • Attempts to access deactivated accounts
  • The addition of new priveleged accounts

Stakeholders could include but are not limited to the user, management and system administrators, depending on the structure of your organization. Monitoring the use of privileged functions is one way to detect misuse and help prevent the risks posed by both inside and outside threats.

Security breaches are far from being a thing of the past. However, your organization can put some of the risks associated with privileged accounts behind you by taking the necessary precaustions above. 

Posted in: IT Security, Business Process Management