Technical

A growing threat: The abuse of privilege

Ransomware attacks are high on the NHS cyber security radar since WannaCry, yet another serious threat goes largely ignored: privileged user accounts. These powerful accounts can be directly or indirectly misused by internal staff or contractors, or taken over and used by attackers. Abuse of the accounts can lead to the loss of sensitive data, as well as downtime of systems and applications essential for business operation. The threat is real.  Failure to properly manage privileged accounts leaves an NHS organisation vulnerable to data leaks and cyber-attacks – it’s an open invitation to a serious breach.

By definition

When you’re ‘privileged’, you enjoy some special right or advantage that most people don’t have.

In computing, a privileged user is one who is granted special administration rights to critical systems; an individual who can make changes to the company network or infrastructure, access secure data, or even override existing security protocols. The word ‘privileged’ is there for a reason. These ‘special rights’ should be limited to the trusted few. And in the case of security, even trusted individuals need to be controlled and monitored.

The problem

It’s a dichotomy: with greater access to an organisation’s critical assets comes a greater security risk. Misuse of these privileges – either intentionally or accidentally – can have serious consequences. Even the most well-intentioned privileged user could inadvertently click on a malicious link and due to their elevated access is far more likely to do Trust-wide damage.

Additionally, the more complex an organisation’s IT systems, the more privileged users there are – comprising of both internal employees and third-party contractors. With so many privileged accounts, keeping them securely managed can be difficult. As a consequence, passwords to privileged accounts are:

  • often known to many people
  • often the same on many systems
  • rarely, if ever, changed
  • stored in plaintext, by people and by applications

Of course, there are serious consequences to these password management practices including:

  • Lack of accountability for use of shared, privileged accounts creating both security and regulatory / compliance issues.
  • External exploits, such as phishing and malware, often seek out privileged credentials as they are the gateway to everything else. With generic and shared credentials, attackers have a much easier time compromising these powerful accounts and wreaking havoc.
  • Proper account deprovisioning can be overlooked. (For example, once local admin accounts are created for maintenance, admins often forget to delete them. This leaves the privileged account ripe for attackers to exploit.)
  • If one system is compromised (e.g., an IT user’s PC or an application server), the attacker can leverage passwords stored or typed on that system to compromise additional systems

Given these consequences, it is no surprise that ‘Managing User Privileges’ features as one of the Government’s key steps for Cyber Essentials.

Mitigating the risk

PAM solves the problem. Privileged Access Management (also known as ‘PAM’, ‘Privileged Account Management’ or ‘Privileged User Management’ – or even PUM or PxM) is pivotal to controlling access.

A PAM solution offers a secure, streamlined way to authorise and monitor all privileged users for all relevant systems. PAM allows:

  • Separation of people from passwords – credentials cannot be stolen, hacked, or phished
  • ‘Just enough’ privilege’ – ensures that no more privilege than necessary is given for individuals to complete their jobs
  • ‘Just in time’ privilege – grants access only when it’s needed and automatically revokes it when the need expires
  • End-to-end accountability – it provides a granular audit trail of all privileged activity to show who has accessed what, where, and how
  • Adherence to both security and compliance requirements by defining who gets access to what and when – it adheres to the Government’s ‘Managing User Privileges’ Cyber Essentials recommendation.

Incorporating PAM into your core NHS security strategy will help combat the misuse of privileged accounts by insiders and attackers alike, as well as strengthen your overall security posture.

For more information about PAM and how it can strengthen your NHS IT strategies, VIEW OUR PRE-RECORDED WEBINAR with Osirium – Keeping Privileged Access under control »