CIO
opinion
CIO
OPINION
“
A COMPROMISED
PRIVILEGED PASSWORD
DOES HAVE A MONETARY
VALUE ON THE DARK WEB FOR A
THREAT ACTOR TO PURCHASE, BUT
ALSO HAS A PRICE THAT CAN BE
ASSOCIATED TO AN ORGANISATION
IN TERMS OF RISK.
You could make the same argument for a
database admin account verses a restricted
account used with ODBC for database
reporting. Both are privileged but owning
the database verses just extracting data
is not the same. Yes, both could be a
devastating attack vector responsible for
a breach but owning the database is the
highest privilege you can get.
Therefore, this could potentially allow a
threat actor to maintain a persistent stealth
presence (if cynical and crafty enough) until
the organisation identifies the breach.
So, we are now at academics. What should
you do to take credential and privileges to the
next level:
www.intelligentcio.com
• Identify crown jewels (sensitive data
and systems) within the environment.
This will help form the backbone for
quantifying risk. If you do not have this
currently mapped out, it is an exercise
worth pursuing.
• Discover all of your privileged accounts
using existing tools, free solutions
(there are plenty), or via a dedicated
privileged solution.
• Map the discovered accounts to crown
jewel assets. This can be done by hostname,
subnets, AD queries, zones, or other logical
groupings based on business functions.
• Measure the risk of the asset. This can be
done using basic critical, high, medium
and low risks but should also consider the
crown jewels present and any other risk
vectors like vulnerabilities. Each of these
metrics will help weight the asset score.
If you are looking for a standardised
starting place, consider CVSS and
Environmental metrics.
• Finally, overlay the discovered accounts.
The risk of the asset will help determine
how likely a privileged account can be
compromised (via vulnerabilities) and
help prioritise asset remediation outside
of the account mapping.
In the real world, a database with sensitive
information may have a few critical
vulnerabilities from time to time, in-between
patch cycles can be considered a critical
risk when they are present, regardless
of the accounts identified. When patch
remediation occurs, the asset may still be a
high risk if privileged access is not managed
and will drop in risk if privileges are session
monitored and access controlled.
Criticality can come from vulnerabilities or
unrestricted, unmanaged and undelegated
access in addition to attack vectors that
have workable exploits. Spending a penny
to find them and map them is a much safer
security mechanism than foolishly leaving
them unattended. Thus, a penny wise to
understand your privileged accounts verses a
password foolish used in a breach. n
INTELLIGENTCIO
53