This blog was originally published on March 2, 2018.

Protecting privileged accounts and actively responding to any potential compromises has become a critical initiative for many CISOs. Stolen credentials are at the heart of most modern attacks and breaches. Attackers can easily obtain credentials via phishing attacks, brute force, keyloggers, pass-the-hash techniques or using a database of previously stolen credentials. And once an account is compromised, the attacker can see and do anything that is allowed for that user or account.

The higher the privileges of the account, the more valuable it is to an attacker. Compromise a network administrator, and an attacker would have free rein over the network, its applications and devices. 

However, privileged users are not just limited to IT and security staff. Executives often have access to highly sensitive data, and are regularly granted exceptions to standard security policy. Employees and contractors can be granted higher privileges out of a short-term necessity and later forgotten. Attackers are highly skilled at finding privilege in the network and turning it to their advantage.

Here is a synopsis of some of the key ways you can keep these all-important accounts secure.

1. Identify and Track Privileged Accounts
   Privileged accounts can cause serious damage in the wrong hands. Keeping track of privileged accounts and endpoints is the first step toward keeping them secure.
2. Downgrade Accounts Where Possible
   Users with unnecessary privileged access present a common problem for many enterprise networks that can be heavily exploited by cyberattackers. Privileged access means a higher risk of compromising the enterprise network.
3. Not all Service Accounts Need Privileged Access
   A service account is a user account created explicitly to provide a security context for services running on applications that interact with operating systems. The security context determines the service account’s ability to access local and network resources. This means that not all service accounts need to also be privileged accounts. You should carefully review all service accounts in your environment to determine the appropriate access for each one, and remove privileges where they are not required.
4. Don’t use the Administrator Account as a Shared Account
   In many enterprise networks, the administrator account is used for servicing other accounts or making changes in the network. A shared administrator account should never be used as a service account or otherwise.
5. Remove Stale Privileged Accounts
   As the IT team grows bigger, security teams should regularly review service accounts and privileged user accounts. If a privileged account is stale, security personnel should disable it if it is not required anymore.
6. Change Default Passwords and Enforce Strict Password Rules
   Weak passwords are a common culprit that let cyberattackers into enterprise networks or let them gain access to more servers and user accounts via lateral movement. When it comes to passwords, be complex, different and unique — it could make all the difference.

Additional Resources

• Learn more by reading the eBook, “A Frictionless Zero Trust Approach to Stopping Insider Threats.”
• Visit the CrowdStrike Falcon® Identity Protection solutions webpage.
• Request a demo of CrowdStrike Falcon Zero Trust or Falcon Identity Threat Detection products.
• Read expert insights and analysis on other complex threats — download the CrowdStrike 2020 Global Threat Report.