Companies have been distributing privileged accounts to employees and vendors for the past 20 years without considering the security ramifications.
Privileged accounts are logons that open access to desktops, laptops, servers, firewalls, databases, printers—any device with a microprocessorthat's connected to a company network.
But hackers and data thieves are abusing privileged accounts to breach highly protected networks and steal mountains of sensitive data. In fact 86 percent of large enterprise organizations either do not know or underestimate the number of privileged accounts incorporated into their networks, according to a survey from password security vendor CyberArk Software.
Follow these best practices for securing privileged accounts and sensitive data from ThirdCertainty.com.
1. Reduce the number of privileged accounts. Every company has too many. This creates opportunities for accidental damage and breaches. And it increases the odds of an intruder gaining a foothold in your network.
2. Reduce privileges of authorized users. Allow authorized users to make changes only to the parts of the infrastructure that they are assigned to manage. That is far better than giving them rights to make changes more broadly.
3. Monitor, monitor, monitor. Record all logons and all activities. This process helps maintain compliance and ensures an easily reviewable audit trail exists. It also helps quickly identify intruders, as well as rogue insiders, or even sloppy or incompetent employees. Look into implementing advanced monitoring that will automatically alert you to anomalous activity.
4. Use strong authentication and robust passwords. At one time it was ok for a limited group of people to share a single account password, but no longer, especially for systems carrying sensitive data.
5. Get to know your data. Account for sensitive data that may be backed up in multiple locations, or that may be stored in stray locations due to poor data hygiene practices.
6. Assume you’ve been breached. Begin with the assumption that a thief is in your midst. Structure your network to reduce the impact of an attacker in any one area. Watch for unusual behavior of both people and systems. Focus on the people granted access to the sensitive data.
7. Control physical access. Lock up desktops and take home or lock away laptops after hours. Locate servers in secure data rooms, not in branch offices, kitchens or closets. Monitor and manage access to data rooms.
8. Regularly review access rights. Assign managers and supervisors to periodically check subordinates’ access rights to assure users only have access to appropriate systems.
9. Enforce Encryption. Apply appropriate levels of encryption to data at rest and data in motion.
CyberScout interviews with Brad Hibbert, Vice President, Product Strategy and Operations, BeyondTrust, a Phoenix-based supplier of vulnerability and privileged accounts management system, and Geoff Webb, Solution Strategy Senior Director at Houston-based identity management vendor NetIQ.