The Privilege Is Mine: Protecting Endpoints From Compromised Credentials

When a cyber-criminal wants to break into a network, a popular technique used is targeting endpoints. The aim here is to steal privileged account credentials to open the door to the devices’ operating system, and subsequently, the full company network.

According to Verizon’s 2021 Data Breach Investigations Report, 80% of breaches involve compromised credentials, making them one of the most common entry points for threats. Several factors contribute to this high statistic, including poor password hygiene or unnecessary privileged access to endpoints and network resources. Regardless of the IT environment, these privileged accounts reuse passwords across multiple systems, which people share, and default passwords get left in place.

Endpoint privilege management (EPM) is one of the best techniques for resolving this by enforcing a least privilege security posture on all users, applications and services. Least privilege ensures that these entities can access only the data, applications and services they need to function. Yet, several reasons can hinder a company’s progress in deploying EPM.

The Challenges When Implementing EPM

The principles of endpoint privilege management are straightforward, but their implementation and execution represent significant challenges. One of the main concerns is that restricted access to resources and certain areas of the network will hinder productivity, as users will need to request access ahead of being able to retrieve the required data. Any EPM implementation that hinders user productivity will fail. Therefore, it’s critical to create an EPM strategy that restricts user and application privileges without preventing employees from doing their jobs.

The Principle of Least Privilege Approach

Most cyber-criminals no longer hack into organizations; they log in with stolen credentials. If a cyber-criminal compromises just one endpoint with local admin rights, they can use it to access other computers, databases, domain resources and critical servers across the network. Organizations can protect themselves with a cybersecurity strategy of least privilege that limits access to only the functionality each user, application and service needs to do its job.

The first step to comply with a least privilege policy is knowing which privileges need managing. To do this, organizations must find out which endpoints and local users have administrative credentials and then identify which applications are used and whether they require administrative rights to run. From this, they can understand their risk level for service accounts and applications with an elevated or excessive set of privileges.

When users or applications operate with administrative privileges, they access sensitive data, operating systems and powerful controls. In contrast, under a least privilege model, administrative accounts with elevated privileges are given only to people who need them and when they need them.

Common EPM Pitfalls

When implementing EPM, there are several pitfalls businesses should be aware of before proceeding. The word ‘solution’ gets used a lot in technology, yet in very few instances, a single technology, method or approach becomes a standalone solution. EPM must become part of the broader security strategy. A successful strategy includes other elements like cybersecurity awareness training for users.

Ongoing cybersecurity awareness training and education are critical to a successful least privilege strategy. The value of least privilege is best understood in the context of the damage cyber-criminals can do. Unfortunately, most organizations fail at this critical task. Too few provide any training for users on privileged access management or the principle of least privilege.

Change can be challenging, so implementing change management practices will help everyone acclimatize to the new least privilege environment. Unfortunately, many companies struggle with change management. This is for a few reasons: they start too late; they underestimate organizational impact; they outsource the function or they bolt-on changes without department-level buy-in. To increase the chances of success, businesses must assign senior leaders with change management experience to this task and hold them accountable.

The Benefits

EPM can keep exploits confined to users’ devices. By removing or reducing local administrative privileges on endpoints, organizations can minimize lateral movement via privilege escalation and pass-the-hash attacks. Policy-based controls, including allow, deny and restrict lists help control shadow IT and manage application privileges. EPM works both independently and together with must-have endpoint security technologies to reduce attacks. The goal of integrating EPM with these technologies is to make it easier to manage the entire security stack while enhancing the effectiveness of each component. In this instance, the whole is indeed more significant than the sum of its parts.

Unrestricted access to company networks and resources can provide criminals with the same privileges. EPM, as part of the broader security strategy, can help keep backdoors into the network locked and assist businesses with monitoring which person in the company has access to what. Staying on top of endpoints, and those credentials with access, will strengthen security defenses and keep sensitive data safe.

What’s Hot on Infosecurity Magazine?