Felipe Contin Sampaio 3:26 PM (0 minutes ago) to me

BR +55 11 3069 3925 | USA +1 469 620 7643

Zero Standing Privileges

by | Apr 28, 2021 | BLOG

With the growth of cyberattacks, access credentials have become a strong attack vector. In 74% of cases of data breaches, companies confirm unauthorized access to a privileged account as its main cause.

In addition, The Verizon Data Breach Investigations Report (DBIR) has found that 29% of the total breaches in cyberattacks involved the use of stolen credentials, second only to phishing.

Once a credential is compromised, a malicious attacker is able to move sideways, infecting other devices and increasing the risk of data leaks, or even infection by ransomware. The reason behind this (and because administrator credentials remain an easy target for attackers) is the high level of access that these credentials provide.

Generally, PAM or Endpoint Privilege Management (EPM) solutions are not designed to deal with the risks associated with standing privilege.
The standing privilege is when administrator accounts with privileged access are always active (always-on). On average, in a large company, it is possible to find 480 users with administrator access on their workstations.

Thus, the concept of Zero Standing Privileges (ZSP) aims to eliminate standing privileges within organizations and mitigate cybersecurity risks.

What is Zero Standing Privileges (ZSP)?

 

Administrative privilege provides the means by which attackers need to take criminal action, be it data exfiltration, data destruction, or other crimes.

When an organization has identities with standing privileges (always-on), it must prioritize efforts to control access to such identities, monitor their use, and protect them from misuse.

However, for most of the day, these highly privileged identities remain idle, unused, but still pose risks.

Traditional PAM approaches have focused on managing and controlling access to privileged account passwords or temporarily elevating privileges to manage when users can work with administrative privileges.

For example, a server administrator employee can check the password of the day to access their privileged personal account each morning. Or they can simply use a solution to have their privileges elevated on demand.

Nevertheless, the focus of each of these approaches is to ensure that the employee uses their privileges in an authorized manner, considering that they are a good employee and not an attacker looking for ways to compromise the organization.

In both cases, the privileges granted to their privileged personal account or in the sudo configuration are permanent and at risk of being abused by a motivated criminal.

 

Just Enough Privilege (JEP) and Just in Time (JIT)

 

What if we can eliminate these standing privileges and replace them with a policy-driven process to allow privileged access only when necessary and with scope only for the required tasks?

The answer to that is using the concepts of Just Enough Privilege (JEP) and Just in Time (JIT). In a just-in-time workflow, there are no standing privileges for employees – no sudo settings to manage, no privileged personal account to monitor.

Instead, potential employee privileges are detailed in a centralized policy. When an employee’s job requires privileged access, they start an activity that describes what they want to do and what resources they need to do it.

Behind the scenes, an activity identity is created or activated and only required privileges are granted to perform just the desired task.

The activity is then performed interactively by the employee (for example, a remote desktop protocol for a server – RDP) or by the system on their behalf (for example, rebooting a server).

Upon completion of the activity, privileges are revoked from the activity’s identity and it is destroyed or deactivated.

By adopting this workflow, the privilege attack surface is reduced to the window during which the employee is actively using the privilege, which decreases the risk that an attacker will steal credential passwords.

2021 Data Breach Investigations Report

Reduce risks with insights from the 2021 Data Breach Investigations Report (DBIR) from Verizon. Read the official report today.

Unlike traditional PAM, where the focus is on protecting the means (for example, privileged accounts or settings) that provide privileges, the focus of the JEP and JIT workflow is on the user.

All an employee needs to know is that they are required to restart a specific server, and the system will take care of providing, protecting, and destroying the privilege when they are done.

The goal of Zero Standing Privileges (ZSP) can be achieved through just-in-time privilege access, improving operational sustainability for your privilege access program and dramatically reducing the privilege attack surface.

 

Benefits of Zero Standing Privileges (ZSP)

 

Standing privilege is defined as the fact that accounts have access with persistent privileges at all times to some set of systems. Zero Standing Privileges (ZSP) is just the opposite.

It is the purest form of just-in-time administrator access, ensuring that the principle of least privilege is applied by granting authorized users the privileged access they need for a minimum period and only the minimum rights they need.

This elimination of permanent privilege through Zero Standing Privilege is really an advantage for understanding the current privileged access and mitigating possible cybersecurity risks.

 

Final Thoughts

 

It is encouraging to see the market has started to recognize standing privilege as a key risk that needs to be addressed and that storing secrets and rotating local administrator passwords on critical servers is not enough.

Attackers are targeting workstations as the easiest way and using the administrator access available on those workstations to spread across corporate networks.

It is necessary to consider a position of Zero Standing Privilege in our environments. Stolen credentials will continue to be the easiest target for attackers and will continue to contribute to 80% of data breaches.

The main causes of data leaks

Data leaks occur whenever a user or organization has their sensitive information exposed, putting the security and privacy of companies and people at risk. Know more! The Data Breach Investigation Report 2022, conducted by the Ponemon Institute, provides an overview...

What is the SOC 2 report and why is it important for senhasegura?

SOC 2 provides a report after completing the audit. Recently, senhasegura conquered this milestone, providing details on the principles of confidentiality, processing integrity, availability, and information security. Want to know more about this subject? Read our...

What is a lateral movement attack and how does it occur?

A lateral movement attack occurs when the cybercriminal gains access to an initial target to move between devices within the network without their presence being noticed. In this article, we explain in detail what side threats are and how to avoid them. Want to know...

Why are government organizations favorite targets for cybercriminals?

The government segment was one of the most attacked by hackers in the last quarter of 2022. Learn more! In recent years, malicious actors have demonstrated a propensity to attack government organizations, including through ransomware, although governments are not...

Building a Ransomware Incident Response Plan

Ransomware is a type of cyberattack where malicious attackers lock down their victims' computers and demand a ransom to unlock. In this, we show you how to create a response plan for incidents involving ransomware. Want to know everything about it? Read our text until...