Take Action With a Phased Approach to Privileged Account Management

By Yanni Shainsky • December 20, 2017

You’ve done some of the hard work already. Your organization is onboard with ramping up cybersecurity efforts – and you’ve even acquired CyberArk to help support your Privileged Account Management (PAM) efforts.

Now it’s time to implement your PAM solution.

As you know, a PAM system helps prevent the theft of highly privileged credentials – and better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.

But implementing a PAM solution can seem like a daunting task – and you don’t want a breach at your organization to be your incentive to move forward. How do you get started and make sure your PAM solution doesn’t become shelfware?

Gain traction of your PAM project with a phased approach.

At CyberSheath, we have seen many organizations in various levels of PAM maturity. In our experience, a phased approach is the best way to deploy a PAM solution. This method enables you to tackle finite pieces of the project quickly – and helps you make a positive impact on your organization’s security in as few as 30-days. We recommend running each phase as a sprint (usually targeted to take 30 days). Keep in mind that sometimes a phase will need to be divided into mini-sprints.

Here are the top-level phases to help you craft your PAM approach. While you may shift the order of phases to fit your organizational priorities and infrastructure complexity, we have found this hierarchy of action to be effective at rapidly identifying and remediating key security gaps.

PhaseArea of focusWhat it isWhy it is a priorityWhat you need to do
1Built-in Local AccountsFor Windows, a built-in account is a type of user account that is created during installation.These accounts have passwords that are known to multiple people – some of whom have probably left your organization. Often the same password is used across multiple systems enabling lateral Pass-the-Hash attacks to gain access to much of your infrastructure. These accounts are homogeneous and tend to be the easiest to onboard as a first step in your PAM initiative.
  • Identify and onboard buy-in accounts for Windows (Administrator) on servers and desktops, Unix (root).
  • Enable password rotation on all accounts.
2Domain AdminA built-in group on Microsoft Active Directory, the Domain Admin is typically assigned to administer all domain servers. Members of this group have full administrative rights to many components of the corporate infrastructure.These few accounts are a master key, having access to everything. Securing this small group is a fast way to help safeguard your systems.
  • Onboard Domain Admin accounts into CyberArk.
  • Switch to the ‘shared privileged account model’ and revoke individual domain-admin permissions.
3Database, Exchange, and Application AdminsDatabase, Exchange, and application administrators manage and maintain database management systems and application software.This is where the data is. These accounts control access to all the intellectual property at your company.
  • Isolate and monitor Tier 1 assets.
  • Onboard any privileged database and Exchange admin accounts.
4Network DevicesNetwork devices are components used to connect computers or other electronic devices together so that they can share files or resources.Access to your network can be an entry point to any other systems at your organization.
  • Identify any onboard network devices, business apps, and security appliances.
5Service AccountsA service account is a user account created explicitly to provide a security context for services running on various a operating systems and applications.Often these accounts have high-level access – and passwords compromised on one of these accounts provides a foothold for access across your network. Passwords on these accounts often have not been changed in years – so security is suspect.
  • Identify and begin addressing the management of service and App IDs.
  • Purchase additional licensing as required.
6Corporate AccountsExternal accounts are created in your company’s name and provide third-party services not available internally. Examples include Twitter, Facebook, and credit and bank accounts.Unauthorized access to these accounts can adversely impact your brand and your bottomline.
  • Protect corporate communications and external financial systems accounts.
7Desktop ComputersThese are assets given to employees to support their work and productivity including desktop and laptop computers.Individual desktops can provide an entrance point for hackers to infiltrate corporate systems as passwords tend to never change and often passwords are the same across all devices.
  • Enable only specific users to elevate their permissions.
  • Limit which apps and commands can be run by which users.

Here’s a useful graphic to help with planning the phased approach for your PAM solution. Download it for your reference.

 

Stay tuned for more information coming soon on how to prepare for and scope an individual sprint to tackle one or more of these areas.

If you would like experienced help identifying or implementing PAM phases for your organization, you can rely on CyberSheath’s skilled SMEs. Contact us to learn more and to get started.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.