Privileged Account and Credential Management: Part 1

Posted on by

A privileged account user has an elevated level of access to a network, computer system or application to perform work functions that ordinary users are not authorized to perform.

Although OS and application vulnerabilities continue to be a vector of attack by hackers, the holy grail of attack and compromise is acquiring credentials with administrative and elevated privileged over systems services and sensitive data. Many University Systems staff have some sort of privileged account for varying types of systems and data.

Examples:

  • Accounts used to manage staff, faculty, employee, student services that store or use personally identified information
  • Accounts used to setup, configure and manage servers and applications that are used to manage and store critical systems and highly sensitive information
  • Accounts that have administrative, root or power user level control over systems and services

It is no secret that there has been a prevalence of account breaches in the last 2-4 years. Common causes of these breaches and just poor credential management habits include:

  1. Poor account management requirements and faulty trust or identity proofing mechanisms.
  2. Poor encryption technologies or none at all for both data at rest and data in transit.
  3. Sharing passwords with colleagues.
  4. Default passwords on devices or in applications that are publically available that are never changed.
  5. The use of weak passwords that are too short or not complex enough so they are easily cracked by hackers.
  6. Passphrase or password reuse both, for the same service, or across services.
  7. Using privileged accounts for day to day regular tasks. E.g. connecting to wireless, using admin or power user level accounts for day to day activities including use of the internet and personal use activities.
  8. Rogue installation of applications without considering security or performing updates.
  9. Not following principle of least privilege on Unix systems. I.e. allowing “sudo” (super user do: allowing a user to run a program as another user) access across multiple systems.
  10. Mismanagement of SSH sessions and keys.
  11. Failure to reset passphrases or disable privileged accounts once there is some sort of employee turnover: retirement, termination, etc.

In a privileged access environment, it is important to consider which service your identity or credential is being managed by. For all UVic centralized identity services (for regular accounts), your accounts are being managed with one username and an associated passphrase across multiple services, but there is no central management of privileged accounts.

Aside from using privileged accounts on production systems one should consider the use of them in two other attack vectors where there is also risk:

  1. Development, pre-production or testing environments.
  2. Any service with its own identity silo.

Since these two areas are less likely to have formalized identity best practices in place, in addition to Production environments, it is very important that you:

  1. Do not reuse your passphrases in any non-centralized service.
  2. Resist the urge to use short easily crack-able passphrases.
  3. Regularly assess the need to keep privileged accounts enabled.
  4. Remember to also change these passphrases on a regular basis.
  5. Do not use privileged accounts on any device which is not UVic-owned/maintained e.g. Private devices.

We all need unique lengthy passphrases for every service that we use.

Best Practices For Privileged Account Users:

  • Different accounts and passwords for all services.
  • Avoid sharing work devices with family or friends. If sharing device in any way, ensure guests, and visitors are not using it with your privileged account.
  • Always use the least privileged account required for the task you are completing.
  • If you are responsible for updating and performing tasks that require admin access, only use that access when it is required.