Regular user accounts can't have elevated privileges or access to sensitive data because those are reserved solely for administrative accounts. That's how it works, right?
Wrong.
In today's increasingly complex workplace environments, those once considered standard users now frequently have access to sensitive applications and data and can take high-risk actions as part of their duties, making them at least temporary privileged users.
As CyberArk CEO Matt Cohen said at a recent conference, "Any identity can be privileged at any given time."
Attackers know this and are exploiting the gap between outmoded authentication protocols and the new workplace reality. As the adage goes, "Smart hackers don't break in — they log in."
"More than half (52%) of workforce identities have access to (an organization's most critical systems and sensitive data)," writes CyberArk's Amita Potnis in a 2023 blog post. "Meanwhile, 77% of IT security decision-makers say developers have too many privileges."
It is no longer enough to rely solely on usernames and passwords, or traditional identity management, to protect vital systems and assets in an environment where tools and actions, not identity restrictions, determine access to sensitive information and elevated privileges.
What's required is to extend the intelligent privilege controls once reserved for privileged access management (PAM) to all users through a modern Identity and Access Management (IAM) solution. In that way, IAM can log, track, challenge and manage all user accounts, both human and otherwise, and enforce the principle of least privilege access so that risk is minimized and security controls match the level of access users require to do their jobs, not just their user designation.
Extending those controls also means that passwords that fall outside the scope of single-sign-on (SSO) implementations can be held in a vault; web sessions in risky applications can be monitored; and data exfiltration can be minimized.
How non-privileged users can gain privileges
Standard users can legitimately gain privileges in many ways, most of them unremarkable and barely noticeable.
"Most organizations today have hundreds of thousands of identities to secure, both human and non-human," said CyberArk's Cohen in his conference presentation. "More and more of those identities look like privileged accounts at any given moment."
For example, regular human-resources staffers will not have any special administrative privileges on the network. But as part of their jobs, they're able to read, write and delete sensitive personnel records that are off-limits to most other users.
Developers likewise don't have admin privileges, but they can access testing and staging sandboxes and servers. If those testing platforms aren't configured properly, they might let developers reach sensitive areas on other platforms and servers.
Developers can also, knowingly or not, push through code that may or may not be malicious. It would take a sharp-eyed security auditor — or an AI-powered application-scanning tool — to notice the difference.
When a regular user's computer dies, IT provisions and delivers a new one. However, if the IT staff makes a mistake, the user might be set up as an administrator rather than a standard user on the local machine, letting the user install unapproved software without proper authorization.
Misconfigured software-as-a-service (SaaS) or cloud resources could also let standard users suddenly get into restricted areas, especially if the authentication protocol being used was designed for on-premises infrastructure and programs.
As part of its job, a software service account might be able to modify and update specific applications. But a misconfiguration could let that account alter other applications beyond its original remit.
Low-ranking IT staffers normally have limited abilities to reconfigure network topology or domain servers. But if the boss is out and something needs to be done quickly, a staffer might gain temporary admin privileges. Those privileges might not be revoked afterward, creating a classic case of "privilege creep."
A high-ranking network admin should have special privileges and the power to configure local active domains. But such blanket privileges might let the admin see personnel records that H.R. keeps under lock and key, even though accessing those records isn't part of the network admin's job.
Like most people, the high-ranking network admin logs into a personal Gmail account from a web browser on a workplace computer. But if the Gmail account is compromised in some other way, an attacker might be able to steal session cookies or login credentials to access the internal corporate systems the network admin is responsible for.
Or say a high-ranking executive with special access privilege decides to leave the company. All well and good, but there's a lag of several days before IT gets around to deprovisioning the executive's account after their final day. In the meantime, the privileged account sits unmonitored.
"Sixty-three percent of security decision-makers admit that the highest-sensitivity access for employees in their organization, such as IT admins and other privileged user accounts, is not adequately secured today," states CyberArk's 2023 Identity Security Threat Landscape Report.
How attackers abuse hidden privileges
All of the users in the above scenarios are ripe targets for attackers.
A cybercriminal or nation-state hacker interested in personnel records might send a phishing email to the HR staffer, whose account would presumably be less protected than that of a network admin or company executive.
Attackers interested in network penetration might send similar phishing emails to low-ranked IT staffers in the expectation that their accounts might be leveraged for post-breach privilege escalation.
Or, as CyberArk’s Andy Thompson detailed in a recent blog post about the 2023 MGM Resorts attack, attackers could social-engineer a help-desk operator into resetting the multi-factor authentication (MFA) of a privileged user. In the MGM case, this let the attackers hijack the IAM platform and Microsoft Azure cloud assets and plant ransomware on VM servers, costing the company about $100 million in repairs and lost business.
How to defend against attackers abusing privilege creep
Like the workaday occurrences presented earlier that each resulted in user privilege creep, such attack techniques are nothing special. Yet organizations that use plain-vanilla username-password authentication have little defense against them.
A CISA survey in 2023 found that 54% of assessed organizations had suffered an attack in the previous year in which valid accounts were used to gain access to systems.
Modern authentication platforms, protocols and precautions that can cut down on the success rate of such identity-based attacks include:
- Implementing MFA with strong authentication factors and context-aware identity challenges,
- Single-sign-on (SSO) so that employees won't use and reuse lousy passwords,
- Using password managers or vaults for passwords that fall outside the scope of SSO,
- Enforcing the principle of least privilege on both network resources and endpoints, making sure that no user has unnecessary access or privileges,
- Role-based access controls so that permissions are defined only by a user's current job,
- Regular forced user logouts to counter session hijacks,
- Passwordless authentication, starting with endpoints and broadening from there,
- Network segmentation that puts up barriers to free-roaming attackers,
- Session isolation that routes user access to cloud or network resources through proxy services, and
- Strong IAM platforms that track and log user behavior and movements, including into web applications.
Further down the line, an organization might consider:
- A zero-trust network model so that every user must constantly be authenticated,
- A secure enterprise browser to protect the endpoint and prevent data loss,
- Just-in-time (JIT) access provisioning that grants temporary privileged access only when necessary,
- Zero standing privileges (ZSP), in which no user has any permanent access to anything, and access is granted only through JIT provisioning, and
- AI-assisted IAM platforms that can rapidly determine proper permissions and assess authentication factors.
Slow uptake of modern IAM protocols
Organizations are rolling out these improvements, but some are taking root more quickly than others. In a 2024 survey of about 200 IT and security professionals conducted by CyberRisk Alliance (CRA), most respondents said their organizations had implemented MFA and SSO. Two-thirds said their organizations had partly or fully implemented IAM.
Other aspects of modern authentication are more aspirational. More than three-fifths of respondents in the CRA survey whose organizations were already implementing IAM, or planned to implement it, said that least-privilege access was part of their strategy or program.
But only one in four respondents said they were highly confident that their organizations gave users the "bare minimum level of access" to perform their jobs.
"We have many staff members who shouldn't need all the access rights they have," said one respondent. "Some users do not understand the security implications of allowing them to have more access than they need."
Until more organizations implement full-fledged IAM platforms with least-privilege access firmly in place, log-in breaches will continue to be a major threat. In the meantime, take heed of the warning delivered by CyberArk's Amy Blackshaw in a 2023 blog post:
"Any identity can become privileged based on what it can access — and what actions it can take."
