The credential has become a commodity that will be breached. 74% of breached organizations admitted the breach involved access to a privileged account. In addition, The Verizon Data Breach Investigations Report found that out of all attacks, 29% of total breaches involved the use of stolen credentials, second only to phishing. Once a credential is compromised, privileged access management solutions are rendered useless.
The underlying reason behind this (and why administrator credentials continue to be low hanging fruit for attackers) is the access the credentials provide. Specifically, it is the 24x7x365 always on, high levels of access that these administrator credentials provide that can be used to move laterally across a network, steal sensitive data, or deploy ransomware. The average privileged access management or endpoint privilege management solution was not purpose built to address this risk.
Standing privilege refers to administrator accounts with “always on” 24x7x365 privileged access. On average, at a large enterprise, we find 480 users with admin access to the average employee workstation (at companies with >15K devices).
Average number of admins with 24x7 access to each workstation.
Admins with access to more than 2,000 systems
Systems with more than 800 privileged access users
These privileges are typically in the form of privileged group memberships or device level permissions that allow the execution of privileged commands. So, even if a user is not explicitly given access to a specific server or workstation, their domain or group level permissions would allow them access to that server or workstation whenever they need it.
There are three key reasons why standing privilege is prevalent:
In most cases, organizations provide this level of 24x7x365 access to enable administrators to do their jobs effectively. The two personas we see with this type of access are IT Helpdesk users and systems administrators.
So, admins always have more access than they need.
Admin rights can change for many different reasons. New members are always added as Help desks and Administrator teams grow. However, old members who leave their teams or the company, aren’t always removed in a timely fashion. Group membership changes, so if an active directory group confers some amount of privileged access and the membership of that group changes, then the amount of privileged access in the ecosystem correspondingly changes. Local accounts might be added or removed, conferring or removing levels of privileged access, and GPOs can change, which can confer privileged access across the entire enterprise for a set of accounts or a set of groups.
This standing access increases an organization’s attack surface and can impact the network as follows:
The reason we as an industry have failed miserably at addressing standing privilege is because we struggle to answer two simple questions: