You turn on the evening news and a breaking report flashes, “Major Data Breach of Huge Corporation, details at 11” and you immediately begin to question, “could this happen to my organization?”
In the wrong hands, privileged accounts represent the biggest threat to enterprises and unfortunately are a reality for many companies who are not exercising the right precautions.According to the Black Hat 2016 Hacker Survey Report from Thycotic, 77% of Black Hat survey hackers believe no password is safe from hackers, or the government.“It is no longer acceptable for businesses to assume they can keep attackers off their networks,” said Jim Legg, CEO, Thycotic. “The most damaging cyber-attacks occur when privileged credentials are stolen, giving attackers the same level of access as internal people managing the systems. This puts an organization at the mercy of an attacker’s motivation – be it financial, ransomware or other harm to the business.”This is where privileged password security comes in.Privileged password security
is a type of password management used to secure the passwords for login IDs that have elevated security privileges.It is critical that you have password protection policies in place to prevent unauthorized access and demonstrate security compliance.In the words of Nick Cavalancia, Founder of Techvangelist, “No two privileged accounts are necessarily the same. A “privileged” account can have access to anything from slightly elevated permissions on a single workstation, to every part of your network – and anything in between. So, it makes sense that your security strategy around protecting these privileged passwords won’t be identical either.”What Cavalanica is pointing to, is a layered approach for privileged password security.Layered security
, also known as layered defense
, describes the practice of combining multiple mitigating security controls to protect resources and data.He advises, “Begin thinking about what layers are necessary as part of your privileged password security strategy, and how you will implement those layers. By putting a layered approach in place, you strengthen your company’s security stance, protecting it from misuse of privileged accounts by both internal and external offenders.”Chances are, your enterprise already believes in layers but it is best practice to perform a regular assessment. Ask yourself if your layers address the following issues:
- Who has access to a privileged account’s password?
- Where can that password be used?
- When can the password be used?
- How can the password be used?
- What kinds of accountability are in place to ensure proper use?
Be sure to consider the password risk itself. Does this password follow suggested guidelines? How regularly is it updated?“Best practice for privileged passwords means inserting a process that will ensure that each use of administrative authority is authorized and tracked. That starts by making sure that these highly sensitive passwords aren’t in the hands of humans, but rather in the hands of a secure, automated Privileged Identity Management
system,” suggests Jonathan Sander, VP of Product Strategy at Lieberman Software.“Often the only real change for the privileged users who need access to these passwords to do their jobs is getting the passwords from a secure system versus a highly insecure place – like the dreaded but common password spreadsheet on a shared drive (like the one we saw stolen in the Sony breach a couple years ago).”Even with these systems, there are a few tips that I will outline here to reinforce the message.
- Rotate passwords on privileged endpoints constantly
- Actively monitor privileged user access
- Enforce strong password policies for end users
- Educate your employees on privileged password security
Luckily, Cybrary can help with tip#4. Recently, we’ve partnered with Thycotic
to produce a Privileged Password Security Micro Certification
, which teaches you the basics of privileged account management.This certification is intended for IT administrators, systems administrators, and security professionals responsible for protecting their organizations from common security threats.You will learn what privileged accounts are, why they need extra security, and best practices on how to safeguard these important accounts according to the latest security standards. You will cover practical, hands-on guidelines on securing your privileged accounts.If the password spreadsheet is a terrifying reality for your organization, or if you haven’t reviewed privileged account security measures recently, get this certification and prevent the next major data breach.Code OBLOG50 is even valid for half off the Privileged Password Security micro certification if you have not used it yet.Olivia Lynch (Cybrary_Olivia)
is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.