What to do with the castle keys?
A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is third of a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
I wrote in my previous post how hackers don’t break in, they login. Well, the login they are really after is an account that has admin rights. These accounts can allow an attacker to do whatever they want with the digital footprint of your company, and so must be guarded with the highest security possible.
My account is a super admin, is that ok?
In short, no! Super admin accounts and other forms of administrator accounts are considered ‘privileged’ accounts. As a company grows and technology control becomes centralised, these accounts become ‘God Mode’ accounts and must be protected with the highest level of security. Compromise of one of these accounts could result in the deletion of large swathes of a company’s digital existence. The careful management of these privileged admin accounts is often referred to as PAM (Privileged Access Management).
What do I need to consider for managing privileged admin accounts?
The most important concept to understand is the principle of ‘Least Privilege’, i.e. granting the least privileged role you can to any user account. The first step towards that is creating separate accounts for your highly privileged access, that way if your normal account is compromised in day-to-day use, there is a limit to what damage can be done.
Generally, a company will only have a handful of staff who also control a separate admin account, and the protections on those admin accounts will be incredibly tight. Those protections might include IP address restrictions, phishing resistant MFA requirements such as physical security keys, short session timeouts or restricting access to specific devices.
Ideally these separate admin accounts should be as secret as possible and not used for day-to-day work. Pragmatically this becomes challenging as many Saas systems will have a ‘Primary Owner’ account that will need a mailbox, and you may want to enforce SSO.
A tool that can be particularly useful for managing the number of privileged roles is PIM (Privileged Identity Management) - this enables you to elevate the privilege level for specific users on a ‘just in time, for just long enough’ basis with approvals and notifications. This is particularly helpful when working with external contractors.
Ok, my privileged accounts are separate and secured – I'm good now, right?
Sadly not! The next area of privileged access to look at is on your devices – this is referred to as EPM (Endpoint Privilege Management) as each device is considered an ‘endpoint’ in a network.
When you install an application on a Windows or MacOS device, it inherits the privileges of the account that installed it:
-
The primary account on any consumer Windows or Mac device is a local administrator and has total access to the device; when you try and install something you will often see a popup requesting ‘Administrator’ approval, which can be dismissed by logging in. This means malware or ransomware installed by that account inherits total control of the device.
-
Managed Windows or Mac Devices are usually configured for the user to have ‘standard’ access to the device, with a hidden admin account in the background for IT use. This limits the damage that can be done from installation of malware or ransomware, as it will not be able to take complete control of the device.
Restricting users to standard accounts on their devices can create significant friction and frustration in their flexibility to install applications, but you can get round it with configuration of security profiles to allow use of app stores, or by using EPM tools like BeyondTrust which can allowlist certain admin actions on the device, whilst requiring an authorisation code for others, or outright blocking the action. Most MDM (Mobile Device Management) tools will also allow your IT support to install and update applications remotely.
Bottom line
Your admin accounts, and accounts that have access to your domain records, are the keys to the castle. Creating separate identities for these highly privileged accounts and restricting access with extra tight security is critical to maintaining robust security. We also strongly recommend thinking carefully about EPM, making sure your users can only install safe applications on their devices, and making sure those applications stay routinely updated to minimise vulnerabilities and the size of your attack surface.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇
