Controlling access to privileged accounts is the most critical defense you can leverage against hackers, and passwords are probably the weakest link. Many organizations have faced hurdles in effectively reigning in control of their privileged accounts and passwords. Thus, hackers continue to pounce on this weak point.
To learn more strategies for protecting your environment, watch my recent webinar "12 Strategies for Getting Your Password Game in Check".
Another critical issue is that organizations commonly rely on many different applications to fulfill a variety of business needs. This is especially true of smaller companies where access management is often distributed across many business units or system owners. This model does not allow for a functional password management program, meaning it's virtually impossible to manage user access, privilege levels, and revocation in an easy manner.
The process of securing your privilege accounts relies on a variety of factors, but two of the foremost is ensuring passwords are kept secure and enforcing a least privilege model—meaning employees have only the privileges necessary to perform their roles. Employee job functions and related access should be routinely reviewed to ensure that passwords managed sufficiently and that the privileged access reflects the most current job function. This accomplished easier when there is centralized management of those passwords.
I would like to offer you some strategies that can help you sharpen your password game and keep your organization's critical systems safe.
12 Strategies to Protect Your Passwords from Unauthorized Users
- Adopt and implement security policies
Good cybersecurity practices begin with good cybersecurity policy. Every practice you put into place is there to do one thing, and that is to enforce your security policies, which in turn should support your overall company policies, goals and strategies. When you are designing your policy, I recommend that you adopt and implement it with a measure that ensures and enforces a least privilege strategy for account access.
- Limit admin access to systems
I already mentioned that you should adopt a least privilege strategy. Make sure that you enforce least privilege on end-user workstations by keeping end users configured to a “Standard User” profile, which is one that will not allow them to make significant changes to your system. If users must have higher privileges to conduct some certain activity, allow the system to automatically elevate their privilege to run only approved and trusted applications. Your IT administrators should only use their privileged accounts when necessary to carry out the duties of their job.
- Protect privileged account passwords
When your privileged accounts are being used, it is critical to proactively manage, monitor, and control access to those accounts. These accounts are necessary for your IT infrastructure so they must exist, but it is your responsibility to ensure they are securely managed.
- Inventory your privileged passwords
You can't protect something if you don't know it exists. There are tools for both Windows and Unix environments that can help you discover where privileged accounts are located across your entire enterprise environment. You should know where all your accounts are located.
- Ensure an individual, and not a generic user, is accountable for the privileged account
For accountability purposes, it is critical that you have an individual that is assigned to and responsible for the accounts. There should not be any sharing of accounts going on. You want to be able to track back to the individual who took action using a particular privilege account.
- Securely store your privileged passwords
It is imperative that organizations store their privileged passwords in the most secure vaulting system available. There are many types of these systems so search for one that will fit your needs.
- Adopt a staged approach to deployment
Your password protection plan should include a step-by-step process for securing privileged account information with reasonable deadlines, deliverables, and consequences for noncompliance. The details should be outlined in your policy and your operating procedures.
- Change embedded passwords
If you use embedded passwords, you should ensure that your Auditors need to recommend that change management policies clearly mandate the need to update hard-coded passwords and outline the specific steps for changing, maintaining, and storing them.
- Educate key stakeholders
Stakeholders need to understand why privileged account and access management security is urgent and essential. Part of your responsibility should be to educate all your stakeholders on the seriousness of protecting your sensitive passwords.
- Provide greater visibility
Trying to secure your systems manually is the antiquated way of doing things. Automated PAM solutions can give you greater visibility into your environment while also helping you demonstrate compliance in audits. I speak more on this in the next step.
- Automate management and security of privileged account passwords
Building on step 10, as I stated, it is extremely difficult to stay on top of managing privileged accounts using manual processes. You should strive to automate your systems as soon as possible to avoid a costly and embarrassing security breach. There are some affordable PAM solutions available for organizations of any size. Automation alone won’t solve all your password problems, but it sure makes your job easier.
- Apply and enforce change management policies to privileged passwords
To ensure privileged passwords are frequently updated, you need to keep accurate and updated records of all privileged password inventories. You also need to create, implement, and enforce a change management policy that identifies the rules for creating new passwords, how often passwords need to be changed, where they are going to be stored, and who will have access to the inventory list. All this is covered in the steps I provided, but you must make sure that the policies you put in place are enforced.
To learn more strategies for protecting your environment, watch my recent webinar "12 Strategies for Getting Your Password Game in Check".
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.