Welcome to the June blog. This month we take a look at the need to have strong controls for staff with privileged access to operational systems. The blog discusses ways to limit the opportunity for would-be attackers, architectural choices including the concept of the privileged access workstation, and a range of operational best practices, such as privileged access management and least privilege.
In a previous blog post, we talked of aspects of an attacker’s reconnaissance activity. LinkedIn profiles have also become a surprisingly effective asset for attackers to gather information about their targets, such as identifying the individuals with escalated privileges. Those ‘admins’ with higher privileges will often have powerful rights to make changes to vital core networks, other network functions, move laterally within the network and wider systems access. As such, admins are tempting targets for would-be attackers. This can be used to better to understand possible phishing attack guises, understand the target’s likely levels of permission / privileges and what equipment vendors / products they are responsible for. Limiting the detail provided on such social media platforms can make it harder for attackers to identify a target and to target with less effect.
Privileged Access Management (PAM) is a cybersecurity discipline that focuses on controlling and monitoring access to sensitive resources by users with elevated privileges (e.g., administrators). This can include a formal, senior and independent approval (and regular re-approval) of any administrator’s escalated privileges. It aims to reduce the risk of unauthorised access (including malicious insiders) and misuse of privileged accounts. Closely allied to PAM, is the concept of Least Privilege, ie giving users only the permissions they need to undertake their role which reduces the risk of unauthorised access to sensitive or critical areas of a system. An approach to Least Privilege is to:
- Decide which permissions user roles need to undertake their role; be as specific as possible to avoid overly broad permissions.
- Review the permissions assigned to each role within each of your systems.
- Review permissions currently provided
- Good password practices and enforcing multi-factor authentication (MFA) are an essential complement.
- Monitoring access – all account access should be regularly reviewed, with more frequent reviews of admin accounts. Other causes for review include job role changes, re-organisations, acquisitions / disposals and joiners / leavers.
The UK’s National Cyber Security Centre recently released guidance on privileged access workstation (PAW) which they define as a highly restricted and audited physical device that helps an organisation minimise the attack surface for its high-risk systems. They focus on securing the PAW and reducing the possible attack vectors, for example, by not allowing a PAW to have email access such that a threat actor cannot use phishing to gain access to wider devices or networks. In practice, implementing this can be non-trivial, as it might make remote support arrangements and out-of-hours interventions less convenient than just logging on to the operational network with the regular compute device. However, it has potential to prevent serious and impactful compromises of core and other network functions. This risk avoidance approach can provide a much strong set of security controls rather than allowing higher risk services, then providing risk mitigation controls.
The PAW approach aims to remove the architectural weak link between enabling information technology (IT) systems and the mobile operational network. The guidance identifies eight steps:
- Establish your organisation’s PAW strategy
- Design your PAW solution to be usable and secure
- Establish a foundation of trust
- Scale the solution
- Reduce the attack surface
- Isolate high risk activity from your PAW
- Put in place protective monitoring
- Control data entering and leaving the PAW solution
Whilst the guidance is broadly applicable to information technology and operational technology solutions, for mobile network operators in the UK, it has a more important aspect in its link to national legislation. The associated Telecommunications Security Code of Practice has extensive detail on PAWs and the implementation requirements.
This blog has outlined some key security principles such as limiting LinkedIn job role descriptors to make it harder for attackers to successfully target admins, using PAM and Least Privilege to actively limit and manage account permissions and architecting in PAWs to limit attack opportunities. Taken together, these actions can seriously improve any given security posture.
If you’d like to discuss these topics or to get more closely involved, please email [email protected].