Most practitioners of Privileged Access Management (PAM) tend to focus on reducing, managing, securing, and auditing the administrator and root accounts that have god-like access to their environment and assets. Some typical focuses include:
- Managing privileged credentials (rotating passwords, certification based on access, etc.)
- Removing administrative rights from all endpoints
- Enforcing least privilege across all users, applications, and processes across Windows, macOS, Unix & Linux, and even network devices
- Providing secure local and remote session monitoring capabilities (keystroke logging, etc.)
- Reporting and auditing for privileged activity anytime privileges are invoked
However, there are plenty of other privileged activities that have abstract access within your environment that can cause a world of pain if not properly managed. Many of them are not even identity or account-based. If not properly managed for privileged access, they can actually represent a “game over” event for any organization or individual.
Don’t overlook these three privileged access risks:
- “All” email groups – Almost all environments have an “all” email group that allows executives or human resources to mass email all employees within an organization. This is typically used for emailing information that is relevant to all employee, such as next year’s holiday schedule, benefit enrollment information, or even unfortunate events that may affect a large group of people or the entire company.
- Human Interface Devices (HID) – While many of the readers may consider a printer as an old school piece of technology that does not have modern attack vectors, this is far from the truth. Most modern printers and HIDs are “smart”. They can have access via the web, have browser interfaces, and can support multiple protocols for functions like printing and monitoring, including legacy ones like SNMP and FTP.
- Vendors – Ask yourself a simple question: What privileged access do your vendors have into your environment, and what privileged access do you have into your suppliers’ environments? Actually, that was a trick question and not a simple one to answer.
If this “all” group is accessible externally or internally by a threat actor or disgruntled employee, the results can be devasting – for everyone. Think this is far-fetched? Some months back, I had discussions with a CEO whose company did not properly secure the “all” email group and a threat actor sent child pornography to the entire company. Legally, the company did the right thing. They contacted the FBI and scrubbed every mail server, computer, laptop, and mobile phone to remove the images. This one nefarious email sent by a disgusting individual shut the business down for an extended period of time. The lesson learned—secure the “all” email group and any email group that can forward to large groups of people. This is privileged access, just in an untraditional form, within an application. As with any privileged access, it should be managed and locked down.
Every modern HID has attack vectors, from default credentials through missing access control lists governing who can even access the device. For example, printing to a device located within the human resources or finance departments potentially allows insiders to access any other documents that may be unintentionally left on the printer. Default credentials, even for network management, can provide access to duplicate print jobs to a malicious destination, including storing them on the device’s internal storage for later retrieval via protocols like FTP. Each of these is a form of privileged access to a potentially sensitive device. These devices should be hardened for management and usage. In fact, just as a matter of reference, any device that is being deployed in your environment that is considered “smart” HID, like TVs and projectors, can suffer from similar types of privilege flaws, including monitoring a screen when a meeting may be considered private.
Privileged access can actually mean anything from physical access to remote access that a vendor or supplier can have in order to maintain or provide some form of service into your, or their, environment. Many times, these are in the form of accounts that can be managed with an identity governance or privileged access management solution, but, often, organizations create an account in their domain, and then email or text the credentials (including the password) to the third party in order to grant access. The security of this is questionable at best. If you think this not an issue, think again. I personally closed an account in a major software vendor that was created almost 20 years ago and that still allowed me to gain access to license keys and software from my old employer. Access was still granted via my old email address, a compromised weak password, and a vendor and company that did not bother to clean up vendor access—even when employees left the organization. Obviously, the access was not administrative or root, but I did have enough access into material I should not have had. This is a privileged activity and should be managed. Certifying access for your vendors is critical to helping ensure that no inappropriate access occurs.
Take an Expansive View to Securing Your Universe of Privileges
The universe of privileges encompasses much more than administrator and root credentials. It can even apply to abstract concepts, like email groups, human interface devices, and vendor access.
The three privilege risks I detailed above are present in most organizations and need to be properly addressed. If you think you may be at risk, just start asking a few questions. Who has access to large email groups, does everyone have access to a printer or projector, and how do you manage vendor access, especially during employee or vendor turnover and transitions? This simple exercise may lead you down a more comprehensive privilege discovery process, helping you uncover all the places unmanaged privileged access lurks across your organization. With the knowledge of where privilege resides in hand, you can then implement mitigations to close backdoors into your environment and limit lateral passageways between assets—reducing your threat surface and eliminating security weak links.
BeyondTrust has the industry’s most expansive approach to securing privileged access. Via our Universal Privilege Management model, we secure every user, session, and asset across your IT environment. Learn more in this white paper, or contact us today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.