Over the last few years we have seen a shift in the requirements set out in compliance mandates in an attempt to combat the increasing frequency and severity of data breaches. For example, in February of this year, PCI DSS (the compliance standard aimed at protecting payment card information) best practices were made mandatory. This was in an attempt to ensure that merchants and service providers took action to ensure they were handling card information in a secure and responsible manner.
In 2017, the giant US retailer, Target, was involved in a massive data breach in which over 40 million customers had their credit card information stolen. Attackers were able to access this information through credentials that were stolen from a service company that Target hired to monitor their energy consumption. Why did this service company’s credentials grant attackers access to Target’s point of sale systems? That’s a good question.
Breaches like these highlight the importance of Privileged User management. You should always work towards a policy of least privilege; where users only have access to the systems and data they need to do their job, nothing more.
What is a Privileged User and Why Should You Monitor Them?
In Layman’s terms, a privileged user is anyone who has access to critical systems and/or sensitive data. You can essentially think of privileged users as those who have the keys to your safe. When you think about it in those terms, how many users would you really want to give privileged access levels to?
Privileged users are trusted with potentially unrestricted access to business-critical systems and valuable data. A rogue user hellbent on abusing these privileges has the potential to copy/steal data containing PII to sell on the black market. They could modify their own permissions or those of another user to get complete access to everything, including data you might want to stay confidential.
Data breaches that occur through privileged user accounts aren’t exclusively down to malicious intent. Sometimes users simply make a mistake, accidentally compromising the integrity of systems and data, or unintentionally leaking sensitive information. This highlights the importance of privileged user management and maintaining that least privilege policy.
3 Ways to Audit and Monitor Privileged Users
So, now we’ve been through the dangers associated with privilege user accounts, we can discuss some steps you can take immediately to mitigate them. What we’re essentially going to talk about here is getting insight into who your privileged users are and what they’re doing in your systems.
Identify Privileged Users and Revoke Access to Those That Don’t Require It
The first essential step towards better privileged user management is to identify those users in your organization that currently have privileged access and those NEED it. Do those two lists add up? Chances are, you’ll find users with levels of access that they do not require. In such cases, ensure you scale back these permissions to the bare minimum. That way, you can mitigate the risk of attackers, or careless employees, getting keys to the safe.
Implement Policies for Better Privileged User Management
Once you have identified those users that legitimately deserve permissions to your most critical systems and sensitive data, enforce policies to ensure that they understand the responsibilities they have an act accordingly.
Privileged users should know how much trust you have placed in them, and the potential consequences of mishandling data. Training on best practices when it comes to handling data and password management should be given at regular intervals. These accounts should have very strong passwords that are updated regularly and should not be shared with anyone other than the owner.
Prepare for every eventuality. What happens if a user changes role within the organization? They may now require completely different access rights. Ensure you have a policy whereby the IT team is informed of such personnel changes so that they can make the required changes to permissions.
Audit and Monitor Privileged Users
All actions that privileged users take within your critical systems should be monitored. If a privileged user copies a file in your File Server, you should be able to find out the details. For most, continuously and proactively auditing privileged users requires implementing an auditing and monitoring solution, as native auditing is too clunky to get the job done.
Solutions like LepideAuditor, enable you to audit, monitor and alert on privileged user activity in your critical systems and to your sensitive data. It provides you will all the essential log information in one place for every change, including who, what, where and when details. This information enables you to investigate changes and take action, if necessary. The solution even allows you to roll back unwanted or unauthorized changes to Active Directory and Group Policy.
If you do decide to go down the route of implementing a third-party solution, ensure that it enables you to audit and monitor on the following things:
- Who your privileged users are
- All actions your privileged users take within your IT environment
- Any changes that take place to permissions
Check that the solution you choose is able to send through alerts in real time if any of the above takes place so that you can respond as soon as possible.
If you’re not sure where to start when it comes to managing your privileged users, come and talk to us. You can also download a free trial of LepideAuditor to see how the solution could give you instant value in auditing, monitoring and alerting on the activities of your privileged users.