NIST Guide Demonstrates How to Control Privileged Accounts

Over the past few months IdRamp has been working closely with The National Cybersecurity Center of Excellence (NCCoE) to develop the National Institute of Standards (NIST) practice guide for Privileged Account Management. The guide will help improve security associated with privileged accounts that control critical infrastructure, data, applications, services, and assets. The guide has been released and is now available for public review.

To view the official press release please visit the Washington Business Journal
To view the Privileged Account Management Guide please visit the National Institute of Standards

About Privileged Account Management

Privileged accounts are used to access and operate mission critical information systems. Privileged accounts are used by trusted people who perform advanced administration tasks that regular users are not authorized to perform. The systems, processes, and procedures used to protect these special accounts are generally known as Privileged Account Management.

Why did the National Cybersecurity Center of Excellence create this guide?

The financial sector has been attacked multiple times by malicious actors exploiting privileged or “super user” accounts on internal or customer-facing systems. The attacks which are estimated to have had significant financial and reputational damage rely on the operational necessity for companies to create privileged accounts that have access to systems and information far beyond that of ordinary users. For example, these accounts may allow system administrators to perform important duties including routine system maintenance, mitigating and responding to emergency events, and data processing.

If mismanaged, these privileged accounts pose a significant risk to an organization. They can be used to cause significant operational damage in the form of data theft, espionage, sabotage, ransom, or the bypassing of important controls. Malicious external actors can gain unauthorized access to privileged accounts by leveraging stolen credentials, lax security controls, keyloggers, default passwords, or social engineering attacks. In addition, there are rare instances of disgruntled employees who abuse their privileged accounts even after they have left the company. This can affect high value application accounts (such as social media accounts) and more everyday systems (e.g. human resources, security controls, database access).

Will C level executives find value in the PAM guide?

Volume A of the NCCoE’s Privileged Account Management Practice Guide will help executives understand the threat and provide them with the decision-making tools to make informed choices that will improve the security of the most privileged accounts within their organization. Executives will be able to direct technical teams, contractors, or integrators to take actions that will allow the organization to:

Identify and catalog previously unknown, high-value privileged accounts that pose a risk
Reduce the complexity of managing privileged accounts by limiting authorized users and employing automated enforcement of use policies
Simplify compliance via automated reports

Will information technology leaders find value in the PAM guide?

Volume B and C of the practice guide assume that IT professionals have experience implementing security products within the enterprise. IT professionals who choose to implement PAM will find practical and actionable information throughout the entire guide.

Clear instructions. The how-to portion of the guide, Volume C, replicates the example implementations created in the NCCoE’s lab and provides specific product installation, configuration, and integration instructions. Rather than re-creating the product manufacturers’ documentation, which is generally widely available, we show how to integrate the products to re-create the example implementations.
The technology is commercially available and adaptable. A suite of commercial products was used to build the example implementations in our lab (this guide does not endorse these products). An organization can replicate the example implementation(s) in its online environment or can use the guide as a starting point for tailoring and implementing parts of the PAM capabilities demonstrated. An organization’s security experts should identify the products that will best integrate with its existing tools and IT system infrastructure.
The guide maps to both cybersecurity standards and best practices. IT professionals can use our step-by-step guide to inform and develop a strategy by selecting from several different PAM-related capabilities that best meet their organization’s needs. Work roles are also mapped to the NICE Cybersecurity Framework to assist IT managers with understanding what skills are needed to execute and manage PAM example implementations.
Expert-vetted architecture and reference designs—The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the financial services sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing financial institutions and other enterprises with the detailed information they need to replicate PAM example implementations.
Expert-vetted architecture and reference designs. The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the financial services sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing financial institutions and other enterprises with the detailed information they need to replicate PAM example implementations.

To view the official press release please visit the Washington Business Journal

To view the Privileged Account Management Guide please visit the National Institute of Standards

*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.

Cookie	Type	Duration	Description
__cfduid	1	4 weeks	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
cookielawinfo-checkbox-advertisement	0	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	0	11 months	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-performance	0	11 months	This cookie is used to keep track of which cookies the user have approved for this site.
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
_ga	0	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gid	0	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
GPS	0	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	1	1 year	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
is_unique	0	4 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form
is_visitor_unique	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form
sc_is_visitor_unique	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
vuid	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

Cookie	Type	Duration	Description
_gat	0	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
muxData	0	19 years	This cookie is used to enable certain video player functionalities associated with Vimeo.
PREF	0	7 months	This cookie is set by Youtube. Used to store user preferences like language or any other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	1	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	1		This cookies is set by Youtube and is used to track the views of embedded videos.