Privileged Access Tools Are Not Enough to Secure Your Systems

Privileged accounts form the backbone of IT systems, granting elevated access to critical resources and sensitive data. Tools such as Entra ID Privileged Identity Management (PIM), CyberArk, BeyondTrust, and Delinea (formerly Thycotic) are essential components of Privileged Access Management (PAM), offering capabilities like password vaulting, session monitoring, and just-in-time (JIT) access. However, misconceptions persist that these tools alone are sufficient to secure privileged access. This article explores these misconceptions, outlines vulnerabilities, and provides detailed recommendations in line with the Australian Cyber Security Centre's (ACSC) Essential Eight.

The Importance of Privileged Access Security

What Is Privileged Access?

Privileged accounts are those with elevated permissions, allowing users or systems to manage configurations, access sensitive data, or perform administrative tasks. Their powerful capabilities make them a prime target for cybercriminals.

Why Does It Matter?

As cyber threats become more sophisticated, privileged accounts are increasingly exploited in attacks. Common methods include:

• Credential Theft: Using phishing or malware to steal login information.
• Privilege Escalation: Exploiting system vulnerabilities to gain higher access levels.
• Lateral Movement: Using a compromised account to infiltrate other systems.

Privileged access is not merely an IT issue; it is a critical organisational risk with potential impacts including data breaches, operational disruptions, and regulatory penalties.

The Role and Limitations of Privileged Access Tools

Capabilities of PAM Tools

Solutions like Entra ID PIM, CyberArk, BeyondTrust, and Delinea provide:

1. Password Management: Secure storage, rotation, and management of privileged credentials.
2. Access Control: Policies to restrict access based on roles, tasks, and approvals.
3. Session Monitoring: Real-time oversight of privileged sessions, including recording and alerts.
4. Just-In-Time Access: Temporary elevation of privileges to minimise standing access.

Where These Tools Fall Short

While these tools are essential, they have limitations:

• Endpoint Vulnerabilities: Tools cannot protect devices used to access privileged accounts.
• Configuration Complexity: Misconfigurations can lead to security gaps.
• External Exposure Risks: If accounts are linked to external-facing systems, such as email, they become high-value targets for attackers.
• Advanced Persistent Threats (APTs): Tools alone cannot prevent determined adversaries leveraging sophisticated tactics.

ACSC Essential Eight: Best Practices for Privileged Access

The ACSC’s Essential Eight provides actionable strategies to mitigate privileged access risks. Key principles include:

1. Separation of Accounts

Privileged accounts should not be used for day-to-day activities such as reading emails or browsing the web. Separate accounts for administrative tasks reduce the likelihood of compromise.

2. No External Exposure

Privileged accounts must not be linked to external-facing services like email or accessible through remote applications. This isolation reduces exposure to phishing and web-based attacks.

3. Application Control

Only approved applications should run on devices used for privileged tasks. Whitelisting ensures that malicious software cannot execute on critical systems.

4. Patch Management

Regularly update software and operating systems to address vulnerabilities that attackers could exploit for privilege escalation.

Risks of Using Standard Accounts for Privileged Access

Some organisations allow standard user accounts to temporarily elevate privileges, introducing significant risks:

1. Compromised Credentials

If a standard user account is phished or otherwise compromised, attackers can leverage privilege elevation to gain administrative control.

2. Malware on Endpoints

Malicious software on a user’s device can intercept elevated session credentials or tokens, granting attackers unrestricted access.

3. Insufficient Monitoring

Elevated access sessions are often less scrutinised, allowing attackers to perform malicious actions undetected.

Attack Scenarios

Scenario 1: Email-Linked Privileged Account

• Threat: An administrator uses a single account for email and administrative tasks.
• Attack Vector: A phishing email compromises the account credentials.
• Impact: Attackers use stolen credentials to elevate privileges and deploy ransomware across the network.
• Mitigation: Separate accounts for privileged tasks, enforce MFA, and block privileged accounts from accessing email systems.

Scenario 2: Compromised Endpoint with Privilege Elevation

• Threat: A standard user’s laptop is infected with malware.
• Attack Vector: The user elevates privileges via a PAM tool, and the malware intercepts session data.
• Impact: Attackers gain administrative access to critical systems.
• Mitigation: Use dedicated privileged access workstations (PAWs) and implement strict endpoint monitoring.

The Role of Devices in Privileged Access

Risks from External Vendors

In many organisations, privileged access is granted to external vendors for system administration and support. While internal users may operate without privileged accounts, external vendors introduce significant risks:

• Unmanaged Devices: External vendors often use their own devices, which may lack adequate security.
• Remote Access Vulnerabilities: Access through VPNs or RDP increases exposure to threats.
• Limited Monitoring: Organisations may have minimal visibility into vendor activities.

Recommendations for Managing Vendor Access

1. Secure Virtual Environments: Use bastion hosts or virtual desktops (e.g., Citrix, Microsoft 365 Virtual Desktop) to isolate vendor access.
2. Managed Devices: Require vendors to use organisation-controlled devices where possible.
3. Monitoring and Auditing: Log all vendor activity, including privileged sessions.
4. Time-Limited Access: Use Just-In-Time privileges to minimise exposure.

Recommendations for Securing Privileged Access

1. Adopt a Zero Trust Model

• Verify every request for access, regardless of user or device.
• Implement MFA and behavioural analytics to detect anomalies.

2. Enforce Least Privilege

• Grant the minimum necessary access for tasks.
• Adopt Just-In-Time (JIT) models to reduce standing privileges.

3. Deploy Dedicated Privileged Access Workstations (PAWs)

• Use secure, isolated devices for administrative tasks.
• Block internet and email access on PAWs to prevent external threats.

4. Harden Endpoints

• Use Endpoint Detection and Response (EDR) solutions to monitor devices.
• Restrict software installation to approved applications only.

5. Conduct Regular Audits and Reviews

• Audit privileged accounts and access logs frequently.
• Ensure permissions align with current job roles and responsibilities.

6. Provide Comprehensive Training

Educate employees and administrators about:

• The dangers of phishing and social engineering.
• Safe practices for managing privileged accounts.

7. Monitor and Respond to Threats

• Use SIEM solutions to centralise and analyse privileged access logs.
• Implement automated responses to suspected breaches, such as account lockdowns.

Conclusion

Privileged access security is a complex and evolving challenge. Tools like Entra ID PIM, CyberArk, BeyondTrust, and Delinea are indispensable, but they must be integrated into a broader security strategy that includes the principles outlined in the ACSC Essential Eight. A holistic approach that combines technical controls, robust policies, and ongoing education is essential for defending against today’s sophisticated threats.

Sources

1. Australian Cyber Security Centre (ACSC): Essential Eight Strategies
2. Delinea: Privileged Access Management Overview
3. BeyondTrust: Privileged Access Security
4. Microsoft: Securing devices as part of the privileged access story
5. Citrix: Virtual Desktop Infrastructure Security
6. CyberArk: Best Practices for External Vendor Access