A 2022 report on privileged user threats by Ponemon Institutes suggests that privileged user attacks skyrocketed by 44% in 2020, with the cost per attack at $15.38 million. With the colossal damage privileged user attack leaves in their wake, averting security threats coming from malicious privileged users and the threats they may pose to your organization has become more crucial than ever.
Who is a privileged user?
A privileged user can be an employee with the mandate to access sensitive company information. Understanding what makes one a privileged user will help organizations monitor and mitigate malicious privileged user attacks. In most cases, privileged users are given higher access to the company’s source codes, networks, and other technical areas. These extra privileges leaves sensitive data in the organization vulnerable.
While providing some employees with privileged access is important for the successful running of an organization, care must be taken to define these privileges and provide sufficient restrictions to areas the user is not authorized to access.
Understanding privileged user attacks
Privileged user attacks generally take advantage of an organization’s vulnerabilities, which could be system misconfigurations, bugs, or unrestricted access controls. While standard users have limited access to sensitive files and system databases, a privileged user — in addition to having privileged access to these sensitive resources — may be entitled to have far more access.
Depending on their objectives, privileged users can move to obtain control of more systems or to gain admin and root access until they have complete control of the entire environment. When they do, it becomes easier for them to control low-level user accounts and expand their privileges.
SEE: Mobile device security policy (TechRepublic Premium)
Ways privileged user threats can manifest
1. Credential exploitation
Credentials like usernames and passwords are common means of launching a privileged attack.
In this case, an attacker may try to figure out the system administrator’s credentials since their accounts have more privileges to sensitive data and system files. Once the malicious privileged users gain control of the credentials, it’s a matter of time before they exploit them.
2. Privileged vulnerability exploits
Vulnerabilities are exploitable code, design, implementation, or configuration flaws for malicious attacks. In other words, the vulnerabilities a privileged user can exploit can affect the operating system, network protocols, apps, online apps, infrastructure and more.
A vulnerability does not guarantee that a privileged user attack will succeed; it only indicates the existence of a risk.
3. Poorly configured systems
Another type of exploitable vulnerability is configuration problems.
Most configuration problems that a privileged user can exploit often come from poorly configured security settings. Some instances of poorly configured systems include using a default password for a system administrator, unauthenticated cloud storage exposed to the internet, and leaving newly installed software with the default security settings.
Privileged attackers with root access and advanced knowledge of viruses and malware can also exploit some security loopholes in your company’s system configurations. In addition, using malware such as trojans and ransomware may be easier for privileged users because they have root access to the system environment.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How business organizations can stop privileged user attacks
There are several ways business organizations can prevent or mitigate the incidence of privileged user attacks. Any company can use the prevention methods, while the mitigation will depend on the type of attack.
1. Least privilege access
Many organizations make the mistake of granting employees privileged access to more than what their job demands. Unfortunately, this practice creates vulnerabilities that can aid a malicious attack from a privileged user.
One of the ways you can avoid this situation is to adopt the principles of least privileged access. This principle is an organizational security practice that supports limiting privileged users’ access to only the data, system, and application they need to succeed in their role.
So, to put this into practice, all the roles and needed privileges in the organization must be audited by top security experts within the company. Doing this will help prevent situations where a user is granted unwarranted access. Critical audit areas include system admins, domain admins, database admins, payroll admins, and root users.
2. Security policies should guide privileged users
Ensure that a privileged user security policy is in place to guide what a privileged user can and cannot do. This policy must also include repercussions that could be faced when a user violates any of the security policies. Again, this policy should also address what must be done if privileged users leave the company or change their role within the company.
The best practice in most organizations is to cut off every security privilege granted to users before they leave their job. If it is the case of a change in the role of a privileged user, revoke previous user privileges and audit how the previous privileges were managed before granting new ones for the new roles.
3. Implement periodic security monitoring
One other way of abating the threat of malicious privileged user attacks is to come up with a security monitoring team that periodically monitors how all the privileged users use their access in performing their roles. This security monitoring exercise can be done manually by a top security expert team or automated using security observability tools.
In addition, ensure that all employees know about this periodic security monitoring process but leave them with no particular date to avoid situations where a malicious privileged user may cover his tracks.
For thorough monitoring of privileges, focus on how the user manages the read, destroy, create and modify access. If you suspect any red flag in access, revoke or tie the access to a multifactor authentication system to forestall impending vulnerabilities.
4. Implement multi factor authentication
Another way to stop the incidence of malicious privileged user attacks in your organization is to deploy multi factor authentication so that some user privileges must demand authentication before granting a user access. Although this may be a snag in the workflow, it’s better than leaving the critical system access vulnerable in the hands of a malicious privileged user.