Revealing Privileges: How PAM Helps Identify Hidden Risks

In May 2024, news spread that a Russian engineer, using his skills and personal laptop, was able to turn off the electricity for residents of almost 40 settlements with the push of a button. This incident caused a wide resonance and became a topic of discussion in social networks and the media on the topic of energy system security and responsibility for such actions.

Any organization with employees who have privileges to work in information systems (hereinafter referred to as IS) may face a similar information security incident.

This article will discuss the PAM (Privilege Access Management) solution. We will also consider who privileged users are and what key role they play in managing access to critical systems and data. Understanding the features of this role and the risks associated with the actions of privileged users is the basis for developing effective access management and information protection strategies.

Who are privileged users

Privileges are understood as user accounts with administrative rights or additional powers to work in IS.

A privileged user is a user who uses privileges in working with corporate IS, including their installation, configuration, and maintenance.

These users include:

• system administrators of various IS

• security service employees

• outsourcing workers and auditors

• employees of the financial and legal department and accounting

• organization leaders (in some cases).

Risks of using privileges

The lack of centralized control over the actions of privileged users sooner or later leads to various incidents, because privileged users are, first of all, people.

These users have knowledge of where everything is and the keys to all the "locks", as well as an understanding of how all these "locks" and "alarms" work. This creates the possibility not only to steal, alter, or destroy important information, but also to effectively cover up their tracks.

It is impossible to do without such users in the workflow. At the same time, accounts with administrative rights are very often impersonal.

During the investigation of an incident, it is seen that the database was deleted by the user "Admin" without being tied to a specific user. There are five administrators working at the enterprise, and all of them have access to this account, so it is quite difficult to determine who is actually involved.

A distinctive feature in large organizations is the service extended rights for administrators. In some cases, these are built-in accounts, and in others — accounts created to automate processes using scripts. Most often, these accounts remain unlocked and with standard passwords, or these passwords were set once and have not been updated for the entire time of operation.

As a result, there are many privileged accounts and usually no one knows exactly how many of these accounts exist and what capabilities they have, let alone control the implementation of password policies for such accounts.

What actions can be taken?

Alternatives to PAM systems

1. Built-in control tools often have limited functionality and low adaptability to rapidly changing business requirements.

2. Personnel control tools and data leakage prevention (DLP) systems are usually limited to controlling RDP sessions using an agent on the workstation or server and do not support session interception at the gateway and other special privileged access protocols (SSH, Telnet, etc.).

3. Cross-checking, based on the interaction of security personnel, is prone to human error and becomes ineffective in large teams. Another method, video surveillance, only provides incident recording and raises privacy concerns, requiring significant resources for monitoring and storing records.

All these methods also suffer from a lack of integration with each other, require constant updates to combat new threats, and as the organization grows, scaling them can become challenging.

Therefore, for a comprehensive solution to the issue, in addition to the previous tools, it is necessary to use specialized commercial control systems such as Privileged Access Management (PAM).

PAM Capabilities: Why is it important?

PAM systems are centralized solutions that allow managing privileged access of employees to the organization's target resources. This means that information security personnel can control who and how gets access to critically important information and systems, thereby reducing the risks of incidents, including data leaks and unauthorized access.

Main functions of PAM systems

• Centralized access management

One of the main advantages of PAM is the ability to create a single point of management for privileged accounts. This simplifies the administration process and allows for more effective control over resource access.

• Detection and control of privileged account usage

PAM systems provide monitoring of the activity of users with privileged rights, which allows detecting suspicious actions and preventing potential threats.

• Reducing the number of privileged accounts

PAM systems help minimize the number of privileged accounts, which in turn reduces the attack surface and lowers security risks. This is achieved by assigning access rights only to those employees who really need them to perform their tasks.

• Multi-factor authentication

The use of multi-factor authentication when accessing privileged accounts significantly increases the level of security. Even if the credentials are compromised, additional authentication factors will make it difficult for attackers to gain access.

• User activity audit

PAM systems allow auditing the actions of privileged users, as well as implementing incident investigation mechanisms. Auditing actions is important for understanding how access is used and what actions can lead to data leaks.

• Password management

PAM includes password management functions, which allows automating the processes of their creation, storage, and updating.

• Implementation of complex security policies

PAM systems allow configuring complex security policies, and integration with other information security tools, such as SIEM systems, provides a comprehensive approach to protecting data and resources.

• Compliance with regulatory requirements

Finally, the use of PAM helps organizations meet the requirements of regulatory authorities in the field of information security, which is especially important for companies operating in these industries.

Where PAM can be applied

1. Unified remote access point — implementation of managed privileged access to corporate resources

2. Controlled contractor access — creation of temporary and secure access for freelance users to the company's IT systems, obtaining data for quality assessment

3. Access protection for the ACS TP and CII segment — ensuring secure and controlled access to critical infrastructure

4. Monitoring and investigation — improving response efficiency by recording the actions of privileged users for incident investigation

5. Anomaly detection for SOC and data centers — detection and quality processing of incoming events, as well as improving the speed of response to information security incidents.

The implementation of a PAM system allows preventing potentially dangerous actions and archiving session records of access to important system components.