This summer, the NetIQ Cyber Resilience team hosted a virtual roundtable focused on best practices in privileged account management and advanced authentication. Our panel guests were Gautham Ananda, product manager for NetIQ Privileged Account Management solutions, Troy Drewry, product manager for NetIQ’s Advanced Authentication solutions, and Terry Cutler, an ethical hacker and CEO of Cyology Labs.
The webinar, How to Secure Your IT Systems When it Comes to Privileged Access, gives cyber resilient advice from this curated panel of seasoned experts that help IT organizations in healthcare, government, manufacturing and other sectors. If you need to ensure your IT environments are as secure as possible this webinar will help you understand why implementing privileged account management and advanced authentication practices can help your organization deliver IT services in a secure and compliant way.
This blog summarizes the roundtable discussion and includes recommendations from our experts.
Here's the Situation
Forrester says nearly 80% of security breaches are involved around privileged access and use. Examples include the Colonial Pipeline breach breach, US Gov Office of Personnel Management breach, and the Solar Winds breach.
What is privileged access? It’s elevated access IT organizations categorize in the following ways:
Privileged users are IT administrators who have more elevated permissions compared to any other users. For example, an organization may have 99% regular users, and 1% of privileged users comprised of system admins, network engineers, database engineers, application developers, or IT security practitioners. This 1% of administrative users typically perform IT missions related to access and configuration of files, databases and software programs. While this is a small group of users, it’s critical for organizations to know what operations they do.
Privileged accounts are another area that requires critical attention. These accounts are the IT machines in an organization environment such as application-to-application access, cloud instances, or server access such as root control of Linux systems. Typically, these accounts use default or shared passwords to make access convenient for a privileged user to troubleshoot issues quickly.
Here’s the challenge
Because privileged users and accounts are the main target for hackers, IT organizations need a layered approach to manage who has access to these complex and hybrid IT environments. A layered defense is required to protect these assets.
What Can You Do?
The following advice from our panel experts can help you manage privileged access and privileged accounts for your IT organization to avoid breaches:
- A layered defense is required to protect your assets. Managing privileged users and accounts in your IT environment should include both on-prem and the cloud.
- Common scenarios you may see in an IT environment with shared accounts. It could be IT machines, administrative or root account, which is shared among multiple administrators, and all most of the time you don't know who used the account when, what kind of operations you they did. It could also lead into to loss of credentials., somebody has may have leaked it to someone else or written down on a piece of paper, or it's been misused intentionally or accidentally, or maybe because of human error. So, in this kind of situation, what can help is to discover, document and inventory who has access to what and when.
- Control privileged credentials on an as-needed basis. This allows admins to or approve or deny if the credential is already in use.
- Reset passwords periodically. These operations could be managed by a centralized privileged account management solution.
- Include monitoring and session recording of privileged users so every operation an admin performs has an audit trail. On top of it, apply analytics, to detect anomalies for anything an admin may be doing, to detect and mitigate risks.
- Use password rotation, or temporary elevated access, or just in-time access.
- When doing incident response, it’s important to find the compromised machine. Also known as “patient zero.” What happens is a lot of folks are reusing the same password everywhere. So, an administrator will use the same password on Facebook or Instagram. A weak password on the dark web can be broken in 90 seconds, unlike a strong password.
- Shut down inactive accounts, because the passwords are leaking everywhere, that’s one of the reasons why these cybercriminals are getting into the environment. Hackers don’t hack your firewall; all they do is send you maybe a phishing email or use your password that leaked.
- Enforce multi-factor authentication for privileged users to prevent account hacking or credential leak.
- Investigate using a risk service to automatically detect and contextualize risks more easily. IT is forced to try and defend everything. With all the phishing attacks, ransomware attacks, password leakage, outdated software, the industry is pushing towards a Zero Trust model where everything is authenticated, logged, and tracked.
- Ensure remote workers use VPN technology so everything can be tracked and logged. Today, we’re seeing less people going back to the office. So, look for protection in technologies like endpoint detection and response to prevent ransomware or breaches.
- Leverage user login velocity activity monitoring, for example, an administrator logs in at three o’clock in the morning and starts accessing sites from Canada and then all of a sudden, he is trying to access sites from China. The functionality where it can detect these anomalies and lock the account is available today, NetIQ includes this in our risk service
- Start with an audit. It’s important to know what your assets are what needs to be secured. Learn who your privileged users are and what privileged accounts you manage. Then prioritize your privileged programs to avoid losing company credentials, data, brand or compliance fines.
- Check out the NIST Cybersecurity Framework as a guide to build a consistent audit program to know what to protect and when to bring in technologies such as NetIQ to help automate this and secure privileged access and account management.
- Leverage an identity governance backend that will maintain a foundation that can ensure your identity and access data is automated for you and remains up to date.
NetIQ provides security solutions that help organizations with workforce and consumer identity and access management at enterprise-scale. By providing secure access, effective governance, scalable automation, and actionable insight, NetIQ customers can achieve greater confidence in their IT security posture across cloud, mobile, and data platforms.