Intelligent CIO Europe Issue 03 | Page 52

CIO OPINION use a free tool, or existing product already in your organisation to find them? Odds are you are already doing this and you just need to know where to look to get this information. It would be foolish not to. So how do you spend a penny or less to discover privileged accounts and rate their risk? Look no further than your existing operations and security teams. Your existing teams probably have a vulnerability assessment solution capable of performing user enumeration for operating systems, applications and databases. Within that data, the results should include accounts and their creation date, last login date, password age and which groups they belong to, including administrator’s group or root. The results of these scans are generally ignored by vulnerability assessment teams but invaluable to security teams attempting to gauge the exposure of privileged accounts. If you can discover where privileged accounts exist, you can measure 52 INTELLIGENTCIO “ CRITICALITY CAN COME FROM VULNERABILITIES OR UNRESTRICTED, UNMANAGED AND UNDELEGATED ACCESS IN ADDITION TO ATTACK VECTORS THAT HAVE WORKABLE EXPLOITS. their risk and then monitor for their usage. Any inappropriate access can be highlighted using log management or a SIEM and properly escalated for investigation. Now I know some of my readers may be going – so what? We already do this. That is great but do you take this to the next level and actually assign a risk to the account? Do you quantify how often it is used, where it’s used from and how many people are using it (sharing accounts is a bad security practice, by the way)? This is where a penny becomes important, verses being foolish. All privileged accounts are not equal. Some are worth a penny (figuratively) and others a lot more based on risk. A domain administrator account is of higher value than a local administrator account with a unique password (although that may be good enough to leverage for future lateral movement). Treating every privileged account the same is foolish. www.intelligentcio.com