Credentials are the main battlefront in our ongoing computer security war. Deploy everything you have to keep them safe Credit: Thinkstock Protecting elevated authentication credentials is one of the best defense-in-depth strategies any company can deploy.In today’s pass-the-hash, pass-the-Kerberos-token, steal-any-credentials world, preventing credentials from falling into the wrong hands can be the entire battle. Identity is security. If an identity and its authentication credentials get into the wrong hands, often enough, it’s game over.For decades we’ve told people not to stay logged in as admin or root all the time. Alternatively, they should have two accounts: one for regular user duties (email, browsing the Web, and so on) and another elevated one for administrative duties. That’s the old way of thinking. Today’s advice includes using just-in-time credentials, two-factor authentication, and least-privilege delegation. Minimize permanent membershipStart by minimizing the number of permanent members of any elevated group as much as possible. The Holy Grail is zero members of any elevated group. If you can’t get to zero, get to near zero. Your processes, tools, services, and applications should be able to work in a world where no one needs to be an elevated admin all the time. This is the 21st century, after all.Use two-factor authenticationMany companies have been compromised because their users and admins either had their credentials phished away or they reused a password on both corporate and unrelated, third-party sites and services. The bad guys break into the third-party site, then see if they can reuse stolen credentials on the corporate network. That’s why anyone who can be elevated to do something administratively should be required to use two-factor authentication (or better) to log on in. Two-factor authentication doesn’t provide as much protection as most people think (for example, pass-the-credential attacks are still viable), but they help, mainly because admins can’t be phished out of a plaintext password or PIN anymore.Delegate, delegate, delegateEven in a Holy Grail environment of zero permanent admins, admins are needed — or more precisely, people who need to perform administrative-level tasks are needed. But we need to make sure most of those administrative tasks are performed by people who are less than full admins.Most administrators do not need everything a full admin credential gives them. Some tasks absolutely require full admin privileges, but those scenarios are not typical. In the majority of cases, an elevated credential can be a “delegated” permission or privilege, while still remaining least privilege — only the bare essential access to do the job. Even then, it should be accorded only while needed. Implement just-in-time credentialsI’m a huge fan of systems that give users elevated privileges and permissions for only as long enough for them to perform their admin duty — after which they’re taken away. These are known as just-in-time systems.A decade or so ago the idea of delegated, just-in-time was promoted as the best access control model in what is known as role-based access control. I’ve been a believer of it ever since. The idea was that the application developers are the only ones who really know which rights and permissions are needed to perform a particular application task.Developers figure out what’s needed and hard-code those various permissions and privileges to particular tasks, which are then collected into particular application roles. Users and application administrators place application users into various application roles; those users are then allowed to perform these predefined tasks while in the application and only while in the application. To assign permissions and privileges any other way is really a bit insane. How did our computer networks evolve so that network administrators are the ones who guess at and assign permissions? They aren’t the application owners — and are almost never the masters of every application — yet they’re expected to outthink application developers about who needs which rights and permissions.I’m fairly confident that role-based access control will be the ultimate and only access control model we all use. But we’re struck in another critical transition between what we have and what we will eventually have. Until then, just-in-time, two-factor, least-privilege delegation is the way to go. I don’t care how you get there. It can be a program that does all the behind-the-scenes work for you, or you can do it manually or using scripts. How you get there is not as important as getting there.Require armor-plated boxesA recent addition to the just-in-time model is the new requirement that all administrative credentials are entered, and all administrative tasks performed, only on very secure computers. No more logging on as admin to your regular computer, which could be already compromised by malware or a hacker. Nope, admins should be restricted to using only dedicated computers (physical computers are better than virtual machines). The systems they connect with should accept admin connections from only these secure computers. Secured computers should not have an Internet browser or be allowed to initiate or accept connections from the Internet (or only allowed to accept connections from a small set of predefined sites). Application control software should restrict which programs the admin can run — and only a small set of software programs should be on that list.What secure administration really meansAdministrators should use the most secure admin methods possible. Logging on to other computers in a way that leaves credentials hanging around for the hacker to steal should be forbidden or minimized. If possible, admins should use remote methods that do not send stealable credentials at all. Get your admins out of the habit of using GUIs that require full local or remote logons.I’m not unique in offering this advice. This, and more, is recommended by many organizations. Heck, some companies have been running this way for decades. My only somewhat new suggestion: Your secure admins running on secure admin workstations should also include all your application admins. Data theft doesn’t require a hacker to steal operating system admin credentials. Often, all that’s needed is the access of a regular user. I’ve seen some applications with dozens to hundreds of all-powerful admins. Do they need that power? Are they properly protected? Almost never in both cases.Credentials are the main battlefront in our ongoing computer security war. Deploy everything you have to protect them. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe