The 5 'sins' of privileged access management

There are ways to bolster this element of cybersecurity, and eliminating things like apathy, greed and, yes, pride can help avoid misuse.
By Bill Siwicki
09:56 AM

About 80 percent of data breaches are the result of the abuse or misuse of privileged credentials, Forrester Research has found.

Because so many attacks start with the misuse of privileged accounts, it is not surprising that many security executives would say the following three security measures are somewhat to extremely important to their efforts: privileged access management (83 percent), privileged session management (74 percent) and privilege elevation management (74 percent), according to a survey of 500 IT professionals with involvement in privileged access management conducted by cybersecurity firm BeyondTrust.

When asked what issues keep them awake at night, survey respondents most often cited the misuse of personally identifiable information (86 percent), downtime of computing systems (85 percent), and loss of intellectual property (80 percent).

[Also: Black Hat, White Hat hackers agree: Phishing is best way to steal data]

Ultimately, what the survey revealed are what BeyondTrust called the five “deadly sins” of privileged access management and how they prevent organizations from effectively protecting sensitive information.

The first deadly sin is apathy. When asked to list the top threats associated with passwords, survey respondents listed employees sharing passwords with colleagues (79 percent), employees not changing default passwords their devices ship with (76 percent), and using weak passwords like “12345” (75 percent).

Despite knowing better, respondents admitted that many of these same bad practices are common within their organization. A third of the respondents reported users routinely share passwords with each other, and a fourth reported the use of weak passwords. One in five reported many users don’t even change default passwords.

The second of the deadly sins is greed. Users often insist they need full administrative privileges over their devices, and that can create problems for IT. 79 percent of respondents cited allowing users to run as administrators on their machines as their biggest threat, followed by not having control over applications on users’ machines (68 percent).

Yet, nearly two in five respondents admitted it is common for users to run as administrators on their machines. Many respondents said these practices have directly caused downtime of computing systems.

The third sin is pride. One in five respondents said attacks combining privileged access with exploitation of an unpatched vulnerability are common. Simply patching known system vulnerabilities can prevent most of today’s commonly reported attack vectors. Yet, too often, IT does not stay current on their patches, BeyondTrust said.

The fourth deadly sin is ignorance. Two-thirds said managing least privilege for Unix/Linux servers is somewhat to extremely important. One popular option is Sudo, a program for Unix-like operating systems that allows users to run programs with the security privileges of another user.

However, just 29 percent said Sudo meets their needs. The most commonly cited problems with Sudo included being time-consuming to use (32 percent), complexity (31 percent) and poor version control (29 percent). Despite this, the typical respondent runs Sudo on 40 workstations and 25 servers.

And the fifth deadly sin is envy. Enterprises are rushing to embrace cloud computing. Yet, more than a third report that they are not involved in protecting SaaS applications from privileged access abuse.

There are a variety of steps any organization can take to address these “deadly sins” of privileged access management, BeyondTrust advised. These include: Deploy enterprise password management globally across all data centers, virtual and cloud; remove local admin rights from all Windows and MacOS end users immediately; prioritize and patch vulnerabilities; and unify privileged access management – on-premise, in the cloud – into a single console for management, policy, reporting and analytics.

Twitter: @SiwickiHealthIT
Email the writer: