Categories Topics
Description
Privileged Access

Overview
Privileged Access is the process of granting administrator or elevated privileges to information resources. Examples of administrator privileges can include access to systems to perform maintenance functions or to provide access to sensitive data or applications. Privileged Access to information resources should be limited using the "least privilege" concept: granting access to only minimum privileges required by the role to meet business and security requirements and no more.

Guidelines
Administrator or Privileged access to systems or applications should be limited to the least number of roles as possible and limit access to only what's required. Examples include "support" roles that may require broader privileges to maintain the organization's systems and applications (e.g., operations group, patch management team, etc.). Full administrator access to systems should not be provided to business users by default since this could lead to potential unintended errors, download of malware or unauthorized software, which could lead to higher likelihood of unauthorized access or mishandling of sensitive information.

To help achieve least privilege access, roles should first be established to include the support roles, as previously mentioned, but also the business roles that may require certain access to a finite set of systems or applications. For example, a business application developer role should only have access to development systems and only privileges required to perform that role (e.g. check in/out code or test applications). There may also be a business application support role that only requires access to certain application servers and application configurations in production, but should have no access to application data or to change operating system configurations.

Segregation of Duties helps establish separation of roles and oversight for unauthorized changes. Changes to role membership should also be carefully controlled via a formal approval process. For example, new requests to add a new user to a role (or group) should be approved by the business role or system owner before granting access to information resources. Privileged Access to systems should also be granted for a limited time.

To ensure accountability, activities performed by Privileged Access ID's should be logged by the individual security systems. The logging will include evidence of log-on, log-off, identity of data or resource type of access (read, update, create, and delete), action success or failure, privileged system commands used, user ID and name, date and time.

Privileged user access rights should also be reviewed at regular intervals (e.g. every 90 days) using a formal process such as a role or system owner approval of changes to group membership. Application, Service or "System" account Passwords used by applications or services to gain access to other resources (e.g. database servers or data) also need to be controlled. Privileged passwords used by administrators should also be rotated on a frequent basis.  Suggested minimum of at least every 90 days or 30 days for enhanced security.  Other security controls to consider for larger, sensitive, production networks include two-factor tokens and bastion host/gateway that admins would need to logon to prior to gaining access to production systems.

Finally, system accounts (such as "root" or "Administrator") should not be shared, carefully monitored and restricted to prevent interactive logins to sensitive systems. If such accounts need to be used, Password Management (or "Vault") systems should be used to ensure account usage will be limited and authorized by system owners and to provide audit trail for account usage. System accounts can also be restricted to specific host systems to ensure they don't get misused for other malicious means. This will help ensure accountability for system access and ensure authorized access.

Topic Category
Access Control
 
News Articles
NSA failed to implement security measures, says damning reportnakedsecurity.sophos.com6/21/2017
40,000 Subdomains Tied to RIG Exploit Kit Shut Downthreatpost.com6/5/2017
Removing admin rights mitigates most critical Microsoft vulnerabilitieswww.helpnetsecurity.com2/23/2017
Joomla websites attacked en masse using recently patched exploitswww.computerworld.com10/31/2016
Sensitive US health and drug data left exposed by dozens of FDA security flawswww.zdnet.com9/30/2016
Sage suffers data breach from insiderwww.scmagazine.com8/15/2016
Cisco leaves its Unified CDM software open to hackerswww.computerworld.com7/3/2015
Cisco Releases Security Updatewww.us-cert.gov7/1/2015
Bank security weaknesses led to cyber looting of $45M from ATMswww.computerworld.com5/10/2013
Brute Force Attacks Build WordPress Botnetkrebsonsecurity.com4/12/2013
South Korea data-wipe malware spread by patching systemwww.theregister.co.uk3/25/2013
Syrian hacktivists hijack BBC Weather feedwww.theregister.co.uk3/21/2013
One password cracked and your business is historywww.zdnet.com3/19/2013
What 420,000 insecure devices reveal about Web securitynews.cnet.com3/18/2013
cPanel: Reset your root passwords! Hackers broke into our systemwww.theregister.co.uk2/27/2013
Backdoors Mitigated in a Number of Barracuda Networks Productsthreatpost.com1/24/2013
Patient data revealed in medical device hackwww.scmagazine.com1/17/2013
Shodan Search Engine Project Enumerates Internet-Facing Critical Infrastructure Devicesthreatpost.com1/9/2013
Swiss spy agency warns CIA, MI6 over 'massive' secret data theftwww.zdnet.com12/4/2012
4 Long-Term Hacks That Rocked 2012www.darkreading.com11/8/2012
Pilfering sysadmin gets four years and $2.3m fine for kit theftwww.theregister.co.uk10/5/2012
White Papers
Implementing DSD’s Top Four for Windows Environmentswww.dsd.gov.au11/1/2011
Top Four Mitigation Strategies to Protect your ICT Systemwww.dsd.gov.au9/1/2011