Easiest Way for Cybercrime is with “Privileged Access” in an Organisation

#cybersecurity #cybercrime #breach

One of the priorities of every cybersecurity organisation is to explain that a majority of breaches in a system occurs due to compromised “privileged access” accounts. Depending on the age and size of a business, privileged access account management could have gone unchecked for years to decades, allowing an increasing number of accounts to access onsite and remotely, as well as using RPA (robotic process automation) that uses privilege access abilities. All of the firewalls and security measures that may be in place in a business will be useless if you give a “free pass” to criminals via a stolen privileged access account.

Analyzing the history of the privileged accounts within a business can often result in the discovery of old and outdated accounts that should have been removed as well as current accounts that possibly should not have the “Privileged Account” status. It’s estimated that over a period of time privileged accounts can outnumber standard employees by as much as three to four times.

Examples of how serious privilege access account breaches are can be found in cybercrimes from Yahoo! to Edward Snowden, all the way to the attack on the power grid in the Ukraine. Numerous organizations have succumbed to security breaches using privileged access accounts that put their company and in some cases, their countries at risk.

Types of Human Privilege Access Accounts:

• Domain Administrative Account: This is an administrative access account that has the ability to work across all servers and workstations in a network. They are usually rarely assigned but are some of the most extensive and robust.
• Super User Account: This is a standard account that is typically assigned to administrators in the IT Department so that they can configure applications and systems as well as add, change, or delete user accounts.
• SSH (Secure Socket Shell) key: This type of account is a way to access critical system control protocols via direct root access within a Linux or Unix-type operating system. A “root” is the account or user name that basically has access to all files and commands in the operating system.
• Administrative Account, Local: This type of account has administrative access for workstation or endpoint so that changes can be made using a username/password to local devices or stations only.
• Emergency Only Account: As the name suggests, it is an account that offers users “emergency use” administrative access and is sometimes called “break glass” or “firecall” account.
• Business User Privileged Account: This is an individual that is allowed to gain sensitive system access but is outside of the standard IT Department. It might involve someone in human resources, accounting/finance, or marketing.

Types of Non-Human Privilege Access Accounts:

Application Account: This account is application-software specific and can only be used to configure, manage, or administer that software.

SSH Key: As described above in human privileged access accounts, SSH keys can also be used in processes that are automated.

Service Account: This account works directly with operating system interaction. They are used to change the configuration or operating system.

Secret Account: This is a DevOps team account that is used as an all-encompassing term for API (application program interface) keys, SSH keys, and other DevOps team members for providing privileged access.

Originally published at https://davinciforensics.co.za.