What Does 'Privileged Account' Really Mean?

Privileged access has become a hot topic recently. For the first time ever, the Verizon Data Breach Investigations Report actually included privileged access as its own section in the report with some not so surprising results. Below are a couple of interesting takeaways from the report:

• Weak or common passwords were the cause of 63 percent of all breaches
• 53 percent of the breaches were due to the misuse of privileged accounts

Now that we know how important these accounts are, how do we know exactly what makes an account 'privileged'? One easy rule of thumb is to count any account with access to monetizable data (protected health information, credit card numbers, social security numbers, etc.) as a privileged account.

However that’s not all. There are other kinds of privileged accounts. What you have to decide for your organization is what privilege data is, where it is, and who has access to it. Control of privileged accounts is a major factor in compliance across all regulations in every industry. If that definition is a bit too broad, here are the most common types of privileged accounts:
 

Local Admin Accounts

These accounts are typically non-personal and provide administrative access to the local host. These accounts are typically used by the IT staff to perform maintenance or to set up new workstations. Often, these accounts will have the same password across the platform or organizations. These shared passwords are used by thousands of hosts and create a soft target for hackers. At a previous organization where I worked, all new email accounts were given the same password, [Company Name] + [Year]. Few, if any, employees changed that password once it was given to them and were never forced to update it during the year. If your organization is following a similar practice, it's time for a new practice.

Privileged User Accounts

These are the most obvious accounts. These give administrative privileges to one or more systems. They are the most common form and usually have unique and complex passwords giving them power across the network. These are the accounts that need to be monitored closely. Sometimes, these accounts don't belong to individual users and are instead shared among admins. Privileged account management should be leveraged here. These accounts should be monitored for who has access, what they have access to, and how often they request access.  

Domain Admin Accounts

Domain admins have privileged access across all workstations and servers on a Windows domain. These are the most extensive and robust accounts across your network because they have complete control over all domain controllers and the ability to modify membership of every administrative account within the domain. Compromise of these accounts are often listed as the 'worst case scenario' and should be monitored very closely.  

Emergency Accounts

Emergency accounts provide unprivileged users with admin access to secure systems in case of an emergency. These are also referred to as 'firecall' or 'breakglass' accounts. While these accounts should require managerial approval, the process is usually manual and lacks the appropriate record keeping needed for compliance audits.  

Service Accounts

These accounts are privileged local or domain accounts that are used by an application or service to interact with the operating system. Typically, they will only have domain access if it is required by the application being used. Local service accounts are more complicated because they typically interact with multiple Windows components. This means that changing passwords for these accounts must be done at the same time in order not to interfere with the dependent systems. Because of this, these passwords are rarely changed and are often a target.  

Application Accounts

Just as the name suggests, these accounts are used by applications to access databases and provide access to other applications. These accounts usually have broad access to the company information because of their need to work across the network. Typically, passwords for these accounts are not held by individual users and are shared across the network. These passwords are usually stored in unencrypted text files somewhere on the network so that everyone can gain access. The issue is that hackers can also gain access using this text file.