- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Detecting Privilege Escalation
By Garret Grajek, CEO, YouAttest
During the first half of 2020 alone, over 36 billion records were exposed through various data breaches, with the FBI reporting an increase of 300% in reports since the onset of the COVID-19 pandemic. With threats, both internal and external, facing organizations at an all-time high, cybersecurity should be a critical focus for 2021, especially as remote working is a trend that will continue far into the future.
Hackers look to steal sensitive or classified information, which they can sell to other criminals, use personal information for identity theft, or use it to launch sophisticated phishing campaigns to steal even more information. How is it possible for them to gain access to this information?
By exploiting vulnerabilities in programming or user errors, hackers can gain access to user accounts, through a myriad of methods including cross-site scripting, improper cookie handling, or weak passwords. For the first two methods, vulnerabilities can be fixed through programming methods, while the latter requires user education of password best practices and requirements such as complexity and expiry dates. But it’s important to note that new account takeover methods are introduced into the wild every day.
What is Privilege Escalation?
Users may also accumulate more access permissions than they need to complete their duties, referred to as privilege creep. Sometimes an employee will transition to a new role, being assigned more access permissions in the process. However, their previous (but no longer needed) access permissions remain applied to the account, which creates an additional vulnerability that hackers can exploit. Additionally, the user can act maliciously, causing another security threat.
Why do hackers want to escalate the account privileges of these compromised accounts? Once an account is compromised, hackers may be able to access even more. This is referred to as privilege escalation and can be either vertical or horizontal. In horizontal privilege escalation, the hacker can gain access to other accounts that
have the same access permissions. Think of a hacker gaining access to another online banking account once they have accessed one.
In vertical privilege escalation, hackers gain access to more privileges, such as through a system or administrative account. This is the most worrying form of privilege escalation since the hackers can cause immense system damage, change account settings, access sensitive and confidential information, and even disseminate malware throughout the network.
How is Privilege Escalation Detected?
It can be challenging to detect when privilege escalation has occurred. Hackers often are skilled at deleting activity logs or making activity appear normal. In Windows systems, users have access tokens that grant ownership of running processes. A typical target for hackers is the SeDebugPrivilege, which allows users full access to programs for debugging. However, if no debugging is taking place, then this may be a sign that some malicious activity is taking place. Other indications may be unauthorized bank purchases or notifications of sign-in attempts from unrecognized devices.
Additionally, organizations should consider software that monitors administrative accounts for events, such as users being added or deleted from administrative groups. With this software, organizations are notified and must approve any changes to such groups.
Preventing Privilege Escalation
Privilege escalation can be prevented with a combination of various cybersecurity mechanisms. First, organizations should educate all members on password best practices. For strong passwords, the Cybersecurity & Infrastructure Security Agency recommends:
- Using multi-factor authentication
- Using different passwords for different accounts
- Creating passwords not based on personal information or easy to guess
- Use the longest possible password
- Don’t use words that can found in a dictionary or other language
Additionally, organizations should consider setting password expiration dates so that users must change passwords regularly.
After being educated on password best-practices, users should learn how to avoid phishing schemes. Often, phishing schemes mimic legitimate emails from a trusted source, urging the recipient to download an attachment or click on a link. These links and attachments often contain malware, used to steal passwords, sensitive information, or inflict other damage.
Once users understand how they can do their part to prevent hacks and data breaches, organizations should evaluate their access management policies. As stated – new mechanisms for account takeover are being introduced daily – thus, it’s almost impossible to protect all enterprise accounts. One must almost assume that accounts will be compromised,
Thus, users should be granted access permissions based on the Principle of Least Privilege (PoLP), defined by the NIST 800-53 v4 PR AC-6 as the minimum amount of access permissions a user needs to perform their duties. PoLP makes sense in many ways:
- Ensure that legitimate users are not over-reaching on their authority
- Enables an enterprise to enforce SOD (Segregation of Duties) required by many financial and health care organizations and guidances. (If everyone is admin – its impossible to restrict access)
- Ensures that if a hacker steals a user account, only minimal damage is done to the enterprise.
The key to point #3 is that we keep users at a minimal privilege because:
- They are sloppiest w/ their credentials
- They are most likely to be hacked
But a key point often missed in PoLP is how to ENFORCE the premise. Enterprises often start with the best intentions, like applying minimal abilities to users. But IT is IT, and change requests inundate IT, access-rights admins. They simply add more rights/privileges to the users because of the latest and most urgent (and often intimidating) request from some department chieftain who screams, “This has to be done now!”
This is EXACTLY how privilege creep occurs.
The admin alone can NOT be the only regulator of privileges, nor should the business owner have the right to demand access to all privileges that he deems his users should have. What needs to be enacted is a system where key privileges – privileges that could cause GREAT damage to the enterprise if these rights/roles fall into the wrong hands – must be immediately reviewed by both admins and business owners.
Most organizations do these types of reviews, they fall under the concept of User Access Reviews and fall under NIST 800-53 v4 PR AC-1 – but these are mostly done by organizations periodically and not triggered on changes. A better practice is to identify the key security groups and privileges and create a trigger when a user account is escalated to a privileged account either legitimately or maliciously.
Additionally, organizations should employ Role-Based Access Control (RBAC), which defines roles within the organization and the access permissions they should have. This makes managing users easier, as each user type is granted a certain set of permissions, eliminating the need to assign each user with certain access rights.
As mentioned above, after these best practices of RBAC have been established and applied throughout the organization, access reviews should be conducted regularly, the NIST recommending at least every six months. Access reviews are a crucial component of cybersecurity as they analyze all users and the access permissions they have been granted. If any user account is over permissioned, access reviews can identify and mitigate the issue before it can be exploited by a hacker. If left unidentified, organizations may not know the risk their data is at.
But, in the light of the number of user compromises and credential theft – it is considered a better practice to implement a “trigger” system that automates an access review when a key privilege is granted. If this tool is of the same design/format of the periodic review all involved will be able to conduct the review without much additional training.
Summary
As cybersecurity threats continue to rise and people continue to work from the safety and comfort of their homes, organizations need to be more vigilant when it comes to the potential for data breaches to occur. Through industry best practices, organizations can help to protect their users, customers, data, and reputation from the malicious work of cybercriminals.
About the Author
Garret Grajek, CISSP, CEH is CEO of YouAttest. YouAttest is a cloud-based IGA tool that automates both periodic and dynamically triggered access reviews for compliance and identity security.
First Name can be reached online at (@YouAttest) and at our company website https://youattest.com/