Kevin Jermyn, Senior Project Manager
These days, cyber criminals don’t have to use the most sophisticated hacking skills to be successful. Phishing people is easy and often yields quick results. They just cast their nets every day and pull in the nets later that evening to see all the little (and sometimes big) fish that were caught. They really get excited when someone who has a high level of computer access to a company ends up in one of their nets. The best days are when they get data base admins, company network admins, infrastructure support personnel, or the accounts of company executives.
Types of Privileged Access
Privileged accounts, credentials, and secrets are needed for an administrator, application, or device to access a system (such as applications, servers, switches, firewalls, routers) whether located in your on-premises data center or in the cloud. “Privilege” is a term used to designate special access or abilities, above and beyond that of a standard user.
If you aren’t personally an “administrator” at work, think about how you have to provide a password to download a new app on your iPad or smartphone, even though your whole family shares the device. You’re the administrator of the iPad and have privileged access to the device. You’re in control of what gets to be installed on that device (unless you have shared your password, which is another all-too-common story).
You will find two types of privileged access in a business setting. The first is privileged access used by humans, and the second is access used by non-human automated processes.
Common types of privileged access
Privileged access used by humans Human privileged access is when a human manages and uses an account and typically knows the password unless some advanced tools are in place. Types of privileged access used by humans include the following:
Super user type accounts: This is a special user account that’s used for IT system administration, such as making configurations to a system or application, adding/removing users, or deleting data. Example: Jim, the accounting application administrator, logs in with his super user account for a popular Customer Relationship Management (CRM) application to add and remove users who are starting in or exiting from the accounting department. He also makes system level configuration changes as requested by the head of accounting. Other examples of super user type accounts include the accounts used by server admins, network administrators, and database or application admins. Admin consoles for cloud-based infrastructure and applications and DevOps tools are highly privileged as well.
Domain administrative account: These accounts provide privileged administrative access across all workstations and servers within a network domain. While these accounts are few in number, they provide the most extensive and robust access across the network. With complete control over all domain controllers a compromise of these credentials is often a worst-case scenario for any organization. Example: A common type of privileged administrative account that an attacker targets is a Windows domain controller account. If a hacker obtains this, they can typically access many servers and any corresponding data on each server.
Local administrative accounts on workstations: This account uses a combination of a username and password that helps people access and make changes to their local computers. Example: Jane logs on to her computer with a user ID and password so she can get access to her workstation and can make changes, such as downloading applications, unless local administrative privileges have been removed from her workstation. If Jane doesn’t have local admin privileges, the local administrative account can only be accessed by a system administrator.
Secure socket shell (SSH) keys: SSH keys are one of the heavily used access control protocols in the enterprise that provides direct root access to critical systems. Root is the username or account that by default has access to all commands and files on a Linux or other Unix-like operating system. Example: An administrator utilizes an SSH key to remotely and securely log in to an online tool hosted at an offshore facility.
Emergency accounts: These accounts provide users with administrative access to secure systems in the case of an emergency and are sometimes referred to as fire call or break glass accounts. While access to these accounts typically requires managerial approval for security reasons, it’s usually a manual process that’s inefficient and lacks any means of auditing. Example: An emergency account could be a specific application administrative account for a third-party software package that’s installed on local servers and has broad access to configure the application but is not needed for normal support. This account may be used in emergencies where other points of access aren’t sufficient.
Privileged business user: A privileged business user is someone who works outside of IT but has access to sensitive systems. This could include someone who needs access to finance, human resources (HR), or marketing systems. Example: Jane, the HR admin, logs into the HR management (HRM) system. She has the ability to view and change sensitive information related to employee compensation.
Non-human privileged access
The next type of privileged access is used by non-human automated processes. These automated processes are sometimes referred to as machine identities.
Types of privileged access used by automated processes include the following:
Application accounts: A privileged account that’s specific to the application software and is typically used to administer, configure, or manage access to the application software. Example: A data visualization tool that produces reports and diagrams connects to a data warehouse to pull the data. The application account automatically connects to the data warehouse without user intervention to allow the application to access the right data. The password for this account is often stored in the application itself or a configuration file.
Service account: This is a special account that an application or service uses to interact with the operating system. Services use these accounts to access and make changes to the operating system or the configuration. Example: The accounting application needs to start a local database engine service on the local computer running SQL server without the user having to worry about it or even know it’s happening.
SSH keys: SSH keys are also used by automated processes. Example: SSH keys are used in dynamic cloud environments that auto-scale infrastructure.
Secrets: The term secrets is most frequently used by development and operations (DevOps) teams. This is a catch-all term that refers to SSH keys, application program interface (API) keys, and other credentials used by DevOps teams that provide privileged access. Example: A DevOps team may have secrets embedded in the software they’re developing.
Is it a Privilege to Have Privileged Access?
Having privileged access may seem like an honor, but after hearing about the risks and threats, it may seem a little daunting. In this era of cybersecurity risk, the responsibility and exposure to compromise makes privileged access more of a liability if it’s not managed safely.
Think about what attackers or malicious insiders may want to do with privileged access. They can: Change firewall rules so your network can be penetrated (or data can be extracted); Access your infrastructure in the cloud to steal data or use your infrastructure without your permission; Steal your customer list or very sensitive files/data or encrypt the data via ransomware.
The easiest way to attain all of this is for attackers or malicious insiders to get their hands on unprotected, unmonitored, privileged credentials. If you want to attack or steal from a company, why would you want to use harder methods when it’s this easy?
If a company wants to defend against these risks, why not start by better securing these super risky accounts, credentials, and secrets? The “privilege” isn’t actually having the credentials; it’s the duty of protecting them.
Do you know who has access to which areas of your network? CCC will help ensure appropriate access to all of your Network Infrastructure