In protecting your organization, you always need to look for weak points. One month, you might focus on single sign-on implementation to make life easier for your users. Another month, you might hire an outside firm to do penetration testing. Through all of these efforts, you might have a risk exposure that you’re not managing, and it involves the most powerful people at your company.
Why Privileged Users Are an Important Part of Your Risk Profile
Managers, system administrators, and IT security managers are given considerable power over your organization’s systems. They have to receive and approve access requests for new user IDs. Your security framework relies on their judgment. Suppose one of their user IDs was hacked or misused. The impact on your organization could be quite substantial.
Privileged User Accounts in the News: How Mismanaging This Risk Leads to Disaster
Why should you spend time and resources on improving your governance over privileged user IDs? That’s a good question, and the answer lies in the headlines. In short, privileged user access has made major hacking incidents possible. The following are two cases that illustrate the risk.
Inside the Uber hack: “According to Bloomberg, Uber’s 2016 breach occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository Github. Those credentials gave the hackers immediate access to the developers’ privileged accounts on Uber’s network, and with it, access to sensitive Uber servers hosted on Amazon’s servers, including the rider and driver data they stole.” – Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach
Privileged users targeted at Yahoo: Users with powerful account privileges are more likely to be targeted in hacking incidents. Take note of Yahoo’s experience: “the initial breach that led to the exposure of half a billion Yahoo accounts likely started with the targeting of a “semi-privileged’ Yahoo employee and not top executives. [Malcolm Palmore, the FBI special agent in charge of the bureau’s Silicon Valley office] said social engineering or spear phishing “was the likely avenue of infiltration” used to gain the credentials of an “unsuspecting employee” at Yahoo.” – How did Yahoo get breached? Employee got spear-phished, FBI suggests
These security incidents tell us that determined hackers understand how to exploit privileged users. Ask yourself whether your organization is taking steps to mitigate this risk. The first step in getting this risk under control is understanding your privileged user status.
Step 1: Know Your Privileged Users
The largest and most powerful organizations often struggle with this step, so you’re far from alone if you have challenges here. In 2018, Next Gov reported that the IRS “In the case of the IRS, it took officials three months to provide auditors with a partial list of people with privileged access to its high-value assets and that list only covered about 30 percent of servers associated with those systems.” Don’t wait for auditors to find those problems in your organization.
To identify your privileged users, use these steps:
- Most sensitive systems: Focus your analysis on the systems that have substantial power over your organization’s resources. Usually, this would include financial systems, applications with customer data, software development tools, and IT security applications.
- Manager and IT administrators: These users are likely to have privileged IDs. Ask all these users to declare the user IDs they have with privileged access.
- Developers: As we learned from the Uber hacking event, developers are usually granted privileged user IDs to carry out their work.
The above guidance may leave some gaps, but it’ll capture most impacted users in your organization.
Step 2: Reduce Your Privileged Users
After carrying out step 1, you might be shocked about the extent of your privileged user IDs. In our experience, there’s nearly always an opportunity to reduce risk by reducing the number of user IDs. For example, instead of giving all IT administrators “super user” rights, limit that access to two people (e.g., the manager and a backup).
The other way to reduce privileged user IDs lies in increasing checks and balances. For instance, if you’re creating a new “super user,” you may decide to have two managers approve that access change. For highly sensitive systems, you may want to involve internal audit in reviewing the process annually.
Now that you’ve reduced your privileged user ID risk exposure, it’s time to equip those users for success.
Step 3: Provide Support and Training to Privileged Users
With great power comes great responsibility, and that principle extends to your privileged users. To carry out their duties, these users need guidance. As an IT manager, you can equip them for success. In your training, we recommend covering the following points.
- Never assume that your privileged users already know about the implications of their access. Make the risk real by referring to the case studies mentioned in this article.
- Cover common pitfalls. Walk through a few of the most common scenarios they may face as managers; for example, a “spear phishing” request for a new user ID arrives by email. How can your users assess and challenge the validity of the request before approving it?
- Demonstrate your organization’s identity management systems. Show your users how to review, change, and manage access requests with your company’s systems.
At this stage, you may encounter some protests from your users. They may tell you that you’re asking them to do too much. You might even hear, “Hey, we have a day job to do. We can’t sit around all day reviewing access requests.” We’ve heard those comments before as well.
Tip: Do you have security training in place for your entire company? If the answer is no, look at our article, “How to Deliver Password Management Training to Your Employees This Week.”
Step 4: Optimize the Process so It Becomes Reliable
To simplify your user ID governance, you need special tools. To address the compliance and record keeping aspects of management, Compliance Auditor is a good solution. It closes the loop on your program by making it easy to conduct audits.