The Dangers of Privilege Escalation

Threats no longer originate just from your network perimeter – the majority of cyberattacks today are due to privilege escalation that occurs inside the heart of your systems where your precious data lives.

For a hacker looking to steal your data, nothing beats gaining insider access to your systems. Even better – from the hacker’s standpoint — is to obtain privileged account credentials from insiders who are likely to have access to more data than regular users.

Stealing valid credentials and using them to gain legitimate network access is easier, less risky, and can be more beneficial to cyber-criminals than simply exploiting an existing vulnerability.

Privilege Escalation

Insiders (including employees and contractors) can also gain unauthorized access to data and systems by elevating the privileges associated with their accounts. Ideally, normal users should only have access to the data and systems that pertain to their job. However, if that person can find a way to get onto an account with higher privileges or utilize that access to give themselves more privileges they can tap into a wealth of data do a lot of damage.

Once an intruder (whether internal or external) gains privileged access to your systems, the blaring headlines and internal finger-pointing are not far behind. It’s not enough to lock down your own organization – any close partner that has access to your systems can be a source of a privilege escalation attack. Perimeter security measures are great as far as they go, but they can’t come close to protecting your data once a criminal gains insider privileged access to your systems.

It is crucial to have perimeter security measures in good place, but they can’t protect your data once a criminal gains insider privileged access to your systems.

Ransomware and Privilege Escalation

More than 2,000 organizations globally were affected this summer by a massive ransomware attack that hit Eastern European institutions particularly hard. The breach was so devastating it brought work to an immediate stop in hospitals, schools, and government offices, destroying productivity and stoking fear. This multi-layered assault leveraged a series of operating-systems privilege escalation vulnerabilities, which further propagated malware capable of stealing usernames and passwords.

Global ransomware costs are predicted to exceed $5 billion in 2017, up from $325 million in 2015, according to Cybersecurity Ventures.

Increasingly, the unauthorized access and misuse of privileged accounts and data—the “jewels in the corporate crown” —have emerged as the techniques regularly utilized by criminals. Administrative passwords, system default accounts, operating system weaknesses, and hard-coded credentials in scripts and applications are all entry points that cybercriminals can (and will) exploit.

How can you prevent privilege escalation?

The key to preventing privilege escalation is to protect and limit access to privileged accounts through a robust privilege access management (PAM) solution with built-in Privilege Escalation and Delegation Management (PEDM). Using PAM protects your systems from accidental or deliberate misuse of privileged accounts and can further heighten security within your organization.

Privileged access management should be a fundamental element of all security strategies, according to IDC.

PAM offers a scalable and secure way to authorize and monitor all privileged accounts across all your systems. PAM allows you to:

  • Grant privileges to users only for systems on which they are authorized.
  • Grant access only when needed and revoke access as soon as the need expires.
  • Eliminate local/direct system passwords for privileged users.
  • Centrally manage access over a disparate set of heterogeneous systems.
  • Create an unalterable audit trail for any privileged operation.

Critical Components of PAM

Privileged Account Management solutions vary, but most offer the following components:

  • Access Managers govern access to privileged accounts. They provide a single point of policy definition and policy enforcement for privileged access management. Privileged users request access to systems through the access manager, which can then be granted or denied. A super administrator can add/modify/delete privileged user accounts on the access manager in a centralized system—thus greatly improving efficiency and effective compliance levels.
  • Password Vaults PAM systems keep passwords encrypted in a secure vault. All system access is via the password vault so end users never have direct access to root passwords.
  • Session Managers track all actions taken during a privileged account session for future review and auditing. Further, some more robust PAM systems such as WALLIX can prevent malicious or unauthorized actions and/or alert Super Admins if suspicious activity is detected.

Preventing Ransomware Propagation

In the aforementioned ransomware attack, cybercriminals were able to steal credentials using Trojan malware. Even with legitimate access to systems, PAM could have further prevented this attack by:

  • Preventing access to root systems and passwords: Password vaults prevent users from having access to root systems and passwords. If there had been PAM solutions in place, cybercriminals wouldn’t have been able to escalate their privileges even with credentials to privileged accounts.
  • Identity verification: Identity verification ensures that everyone is really who they claim to be when accessing critical systems. With PAM in place, cybercriminals would have been unable to verify the identity of the user credentials and would have been denied access to data and systems.
  • Monitor Activities: With PAM, IT administrators have the tools they need to monitor and track all privileged account activity in real-time. By utilizing these PAM monitoring tools, organizations could have stopped the breach as it was happening to further prevent the extensive damage that this breach caused.
  • Breach Context: PAM provides unalterable audit trails that can help security teams understand how an individual was able to gain access to systems. This information can then be used to understand the methods used and help evaluate security practices to understand where improvements can be made.

Privileged Access Management with WALLIX

Our solution centralizes the password, access, and session managers into one easy-to-use interface that can integrate with your existing security infrastructure. It provides your security team with the tools they need to monitor activities in real-time and audit trails so you can easily meet compliance regulations and review previous sessions.

Cybercriminals are working overtime to gain access to your organization’s most valuable data. The best way to deal with privilege escalation attacks is to stop them before they happen. Your best weapon in that fight is a PAM system.

For more information about WALLIX’s Bastion PAM and PEDM solutions, contact us today.