Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Restricting privileges is important, but it’s not just about the IT administrator access

Serkan Cetin from One Identity explains why organisations need to look beyond protocols put in place by IT administrators when managing user privileges.

user iconSerkan Cetin
Tue, 08 Feb 2022
Restricting privileges is important, but it’s not just about the IT administrator access
expand image

Over the past few years, the world has experienced a flurry of cyber attacks, growing in numbers, scale, scope and complexity. Cyber criminals and state-sponsored actors have become more aggressive and creative, putting all chief information security officers (CISOs) on a permanent alert. So, what should enterprises and government agencies do to lower their overall cyber security risks in this context?

By now, most IT professionals in Australia would be familiar with the Essential Eight. These were produced by the Australian Cyber Security Centre (ACSC) in 2017 as a set of recommendations intended to help enterprises stay on top of cyber attacks, focusing on their prevention. In this publication, The Essential Eight Maturity Model was created with eight mitigation strategies and three maturity levels of security.

While those three maturity levels were intended to be implemented progressively from the most basic to the most sophisticated, organisations have the freedom to determine which level is best for them.

============
============

In this article, I will focus on one of these essentials: restricting administrative privileges, which at any level is one of the most effective cyber security risk mitigation strategies. In reading this, we should keep in mind that privileged access is not just about the IT administrator access but could also be used to describe elevated (aka: privileged) access rights that have been assigned for business users of enterprise apps.

How big is the privilege access problem?

Picture this: an organisation takes on a new staff member. While onboarding the new employee, the person completing the onboarding process (IT or the hiring manager) decides to select the option that gives them the highest level of access – from confidential client information to all folders that might not be related to the new worker’s specific client list. There is no malicious intent behind granting this level of access, it was simply the easiest option and less cumbersome.

Whilst this approach might not seem like a potential issue, it does have the potential to lead to unforeseeable consequences and bring unimaginable damage to the company if it were exposed to intrusion. How? A malicious internal or external actor could use this access of the new starter and obtain unrestricted access to all client information. This situation is not that uncommon as 60 per cent of the cyber incidents reported to the Office of the Australian Information Commissioner (OAIC) in January-June 2021 involved the use of compromised credentials.

A threat that is often less spoken about is a malicious insider. While we generally trust our employees to always perform the actions in the best interest of the company, it may not always be the case and we must assume that the attacker could be not just external, but also internal within the organisation, either as an employee, contractor or supplier.

Breaches are not always caused with malicious intent though, and 30 per cent of breaches reported in the OIAC January-June 2021 report were a result of human error. While it’s not possible to determine the root cause from the stats alone, it does makes me wonder if these could have been mitigated by restricting administrative privileges.

Now, while the scenario of the newcomer described in this article is fictitious, a real approach that’s often used is the process of “cloning”. With cloning, the newcomer is granted the same level of access and authorisations as another user, often their peer or manager. However, the cloned user may have been in the organisation for many years, held various positions across multiple departments and divisions. As a result, that cloned user would have accumulated access and privileges to various applications, often those which are not required for the role of the newcomer.

Implementing policies and processes to manage and administer identities, access and privileges can help to protect organisations from these risks associated with overprovisioning, thus benefiting the whole company, potentially automating the management of the access, and therefore, being better protected.

As a result, potential breaches will have limited impact because even if the credentials from one of the employees have been compromised, that person has access only to specific files and data of the organisation. This limits the access a potential attacker could obtain, therefore the risk of confidential information leakage is reduced.

How do we manage access and privileges?

One may think that by simply reducing the number of privileged accounts or assigning administrative privileges to user accounts for a short-term period can simply solve the issue of cyber attacks in the workplace. However, there are some additional complexities, especially in larger organisations. According to the ACSC and their publication Strategies to Mitigate Cyber Security Incidents, there are four steps of implementing an approach.

While this may not cover all possible scenarios for all organisations across all industries, it does provide the fundamentals to better manage privileged access. Additional measures could (in many cases they should) be taken to improve the security of these systems. The next step is to take further measures to protect the access, such as:

  • Multifactor authentication before the privileged account can be used
  • Limiting use of the privileged account for only the specified period of time
  • Automated credential rotation after each use, and regular scheduled rotation
  • Continuous monitoring of access, actions taken, commands executed, programs accessed, and alerting when there is a deviation from the established norm.

Once we have outlined the most important elements and ways of various administrative strategies, it is up to the companies to shift their priorities towards protecting their data and administrative privileges they give out to their employees. Executives and more senior staff need to be wary of harmful risks that unnecessary access can bring, which could be easily solved with in-depth education about the subject.

With all this in mind, how are you going to restrict and manage privileges across both administrative and business users?

Serkan Cetin is the technical director, APJ at One Identity.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.