SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Privileged Account Management (Part 11 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Posted on by in

The eleventh practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 11: Institute stringent access controls and monitoring policies on privileged users. In this post, I discuss the importance of privileged account management and its effect on the security of the organization.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies of organizations that failed to do so. The eleventh of the 20 best practices follows.

Practice 11: Institute stringent access controls and monitoring policies on privileged users.

Last week I discussed general account security, and today I'll write about the additional scrutiny and controls needed for privileged user accounts. Privileged accounts include those with any elevated level of access, such as Windows Domain Administrators, UNIX root and sudo user accounts, and application-level administrative accounts. Even accounts with minimal additional privileges, such as users who have elevated privileges only on their own workstations, should be considered when formulating insider threat monitoring policies and controls.

To prevent privilege creep, privileged accounts should be audited more thoroughly and routinely than regular accounts. Role changes within the organization should precipitate a thorough examination of account privileges to ensure that users do not continually accrue new permissions as they move around the organization. Moreover, users who accept the responsibilities of elevated privileges should clearly understand the rules of behavior imposed on them.

While policies help users understand expectations and serve to enforce penalties for infractions, technology controls can help prevent and detect wrongdoing whether from unintentional or malicious insiders. If your organization does not deploy user activity monitoring (UAM) tools enterprise-wide, at least consider using these tools for privileged user accounts and administrative activities. For example, forcing administrative functions to occur on a smaller number of designated systems can reduce costs by limiting the number of monitored hosts.

I mentioned shared account password management (SAPM) tools in last week's post, and these tools are even more important to implement for shared accounts that have elevated access, such as the built-in Windows Administrator or UNIX root accounts. Some SAPM tools can also serve to enforce the two-person rule and separation of duties, which CERT recommends as insider threat best practices. Specifically, some tools require a two-phase approval process before a privileged account can be used. SAPM tools typically log and potentially raise an alert when an administrative password is viewed, changed, or used, thus enabling a separate group of auditors to examine the activities performed by administrators.

Multi-factor authentication (MFA) is another important mechanism for securing privileged accounts from simple social engineering or brute-force attacks to more advanced techniques such as pass-the-hash or extracting credentials from memory. Establishing MFA could have prevented incidents in the CERT Insider Threat Incident Corpus that involved users deliberately or unknowingly sharing privileged credentials that were then used for malfeasance either before or after the insider's departure.

Finally, good account lifecycle management practices are especially critical for privileged accounts. Accounts and privileges should be identified and documented to facilitate removing them when an employee leaves a position (or the organization). We know of several instances where former administrators were able to either maintain or re-establish privileged access (that should have been disabled) to the victim's network to cause harm.

In short, building on the general password and account management controls that I discussed last week, privileged accounts should be subject to additional scrutiny and controls that include

  • periodically auditing permissions to prevent privilege creep
  • establishing user agreements to elicit and enforce good administrative behaviors
  • implementing UAM tools that target privileged activities
  • enforcing separation of duties and the two-person rule for administrative functions
  • implementing multi-factor authentication systems

Check back next week to read about Practice 12: Deploy solutions for monitoring employee actions and correlating information from multiple data sources, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see, or contact us at

More from Derrick Spooner


View other blog posts by Derrick Spooner.