PAM Best Practices
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 15 minutes
Hey, everyone, welcome back to the course. So in the last video, we talked about why privileged access management is needed for your organization.
And in this video, we're to talk about some of the best practices associated with it. So
one of the first things we want to think through is creating a comprehensive, privileged management policy. So we also want toe establish that create that and then also enforce it. Right? So we want to have some type of repercussions if people are not follows in the following this policy,
this policy needs to tell us what we do. Once we are creating an account, for example. Right, So we're provisioning that access. What are the steps we need to take as well as what are the steps that we need to take if somebody leaves the company? Or if we take a system off line, how do we go about deactivating that account or deleting it?
It should also talk about
the inventory in classifications of our assets, right? So how do we identify what privileged accounts we have
and how do we inventory those? And how do we maintain those and provide best practices for actually using a security on these accounts, right? So how do we make sure that we're only provisioning? Resource is, that should get the access.
Now, we also want to go ahead and identify any accounts that we have. So we want to identify what actually is out there. And then we want to go ahead and put those in a central location. So we want toe get that central management we kind of talked through before. So we're talking about the user accounts, local Aban accounts,
application administrator database happening,
cloud accounts. We want to also get a handle on the tops of social media accounts, social media administrator accounts. So, Al, these different accounts, we want to make sure that we get these under one location
so we can easily say
Sally in marketing just left. Let's deactivate her standard user account. Let's go ahead and deactivate her access to the social media accounts cause she was the one posting a social media for the company. So we want to make sure we can access these accounts. These various accounts with this different access from one central location
enforce least privilege, right? We've talked about this before, so if I noticed that you have administrator rights, but you shouldn't.
I want to take that away right away. And yes, you may call me and say, Hey, I can't do this specific thing, but that allows me to start asking the questions of why do you need access to do that thing? And you say, Well, it's because I need to do is generate this report every single day. And then I could say, OK, well, I can just give you access to that report, but I'm not gonna give you the full access again.
And so they get access to the report. They stopped calling and complaining,
and you're happy because you've implemented least privilege, right? They only got access to the thing that they needed and not everything else.
The thing that we could do is we can remove Rudin admin access rights to servers and so basically reduce every and also reduce every user on the servers to just a standard user. So it's gonna reduce our tax service and also help safeguard those servers a little bit against Attackers
and the same thing with our other applications and processes, tools, etcetera. We just want to make sure we're only given the minimum access for that particular thing or that particular user to function properly
separating privilege and duty. So
we need to make sure we have separate logging and auditing.
And so what I mean by that is we need to have separate logging within the administrative account. So as an example, if Rebecca and I are both administrators and we both have separate administrative accounts on this particular server,
we need separate lobby and auditing of our accounts to make sure that if Rebecca makes a change, it doesn't actually affect me or is not try trace back to me, right? Because I don't I don't need that cause I wasn't in that server. That was Rebecca doing that mischief.
And we also want to make sure that we separate out various system functions. So things like our read our editing or execution or write access all these different types of functions. We want to make sure that we've got these separate. So as an example, if I've got access for reading documents or reading items,
I shouldn't have write access necessarily. So just making sure that
based off whatever exercise should have, that's all I get same thing with, we're talking about applications or other processes were talking about. Still, can this application reader right to this thing? So if we think of our mobile devices for just a moment, think about when you use an app and it says Yes, I need to have access to this or this.
So let's say, for example, use like what to say Facebook
and Facebook says, Do you want to grant Facebook access to your microphone in your camera and all this stuff and you may not be posting pictures on Facebook? You may not use your mobile device to do that. So you some people might say yes or no, Ignore that. But you may say, Wait a minute. Why do you need that access that doesn't make any sense, right? Because I don't post photos.
You don't need that access just to let me log into Facebook and check when my friends were doing
so again. We're just doing the same thing here. We're limiting what these applications have access to on our network.
And then, of course, just limiting the account functions themselves right. Like what can this account do?
Segmentation is a Big One and many people that are so Sam into network engineers out there. Network amends. They're already doing network segmentation, but basically what this helps us do is it helps us separate. Our users are departments are processes even based on different levels of
trusts, different levels of their actual needs, different levels of privilege sets, for example.
And so if I've got certain systems or parts of the network that require higher trust or higher security than I need to make sure that I'm implementing a little more robust security controls in place when we have some more checks and balances versus someone that is as first is like a guest network, for example, right.
So if I've got all my database servers on one network segment, for some reason,
I'm gonna secure that a lot better than I would like that guest network, because that's more critical information for the company.
The other advantage of segmentation is if an attacker does get in, it makes it a little more challenging for them to move laterally throughout the network. So what? I mean, what do I mean by that? Just makes it more difficult for them to move from system to system throughout the network
enforcing password best practices. So number one make sure you got a centralized location to manage security credentials on, then having strong password complexity. Also using two factor or multi factor authentication.
Ah, where you can write you can't do it everywhere.
Rotating passwords. So basically, if a passwords really sensitive, making sure that you consistently or very frequently is changing. Ah, and maybe like a user password. Just changes every 30 days or 45 days in most companies is about every 45 to 90 days
making sure that no one is sharing their passwords, right. So we talked earlier about password sharing and I t departments, but it happens in all sorts of departments,
and then we're talking about with changing default credentials. We wanna make sure we remove those hard coded credentials, right? So I gave an example earlier about routers and having the admin admin is a user name and password. We want to just make sure that we're changing those
monitoring. We want to make sure that we're actually monitoring any privilege axis accounts, especially. So look your administrator accounts, as well as alerting ourselves
to what's going on with those accounts. So if there's a change in privileges to an escalation privileges, we get alerted to that and then also auditing those records to make sure that we're not missing anything.
So as part of that tracking, that might be just keystroke attack tracking. It could also be screen captures of What is that user actually doing?
Enforcing Ah, uh, invulnerability base on lead on at least privilege access. So basically, if we know that there's certain vulnerabilities out there and you know something like the ah stop 10 vulnerabilities, for example, we know the specific vulnerabilities
to the systems we want to make. And we know that, for example, that an attacker is exploiting that in the wild,
and they're able to take advantage of that because of a privileged user account. We want to restrict the accounts all in that particular system or device as much as possible on on Lee Grant lease privilege on those systems or devices.
So in this video, we just talked about some of the best practices for privileged access management. Now, in the next module, we're gonna talk briefly about privilege access management in active directory, and they were to do a couple of labs to wrap up the course. Now I do want to stress that for these labs we will take a brief introduction video, but we will not have a step a step lot. Walk through,
and the resource is section of this course, there will be step by step guides for you to follow along with labs.