Use Standard User Accounts: Enforce that all users have a standard user account. Administrators across all platforms should log in with their standard accounts as normal practice and never use administrative accounts when using services like email or banking. They should only log in with administrative rights when they need to perform administrative tasks. And any activities performed while using administrative rights should be controlled and protected using PAM end-to-end.

Never Share Credentials: The risks of shared credentials and passwords, whether between peers or vendors, just elevate the risk of the password being misused and potentially leaked to a threat actor. It also makes auditing activity to a single user difficult, if not impossible.

Never Reuse Passwords: If one resource is compromised, then every other resource with the same shared password is at risk, even if the account or username is different.

Never Store Passwords in Clear Text: Passwords should be kept secret. They should never be exposed in plain sight, no matter how they are stored.

Secure Passwords: If passwords need to be documented, they should be in an encrypted file, secured file system, or locked away in a physical safe as required based on business requirements.

Minimize the Number of Aliases: Making identities trackable and not hackable is key to correlating user activity to a single person.

Minimize the Number of Administrative Accounts: The lower the number of privileged users and their associated accounts, the lower the privileged risk surface and, consequently, the less to monitor and audit for privileged activity.

Frequently Rotate Privileged Passwords: Privileged passwords should be rotated after every use for privileged activity or on a regular schedule for electronic accounts. This keeps them from becoming stale and part of a password reuse attack, and less likely to be leaked over time.

Ensure Passwords Are Complex: Privileged passwords should not be easily readable by humans. Complex passwords that are not recognizable words or phrases help ensure they cannot easily be transcribed or verbally discussed. Every password should be complex, but some should be more complex than others to remove the human risk element from the equation. This includes even using letters from foreign languages to strengthen complexity.

Require Multi-Factor Authentication: Implement multi-factor authentication for access to internal systems, applications, and sensitive data. While implementing static multi-factor based on whether a system or application is good, getting too restrictive can become frustrating for users. Look for solutions that can also restrict access based on the risk associated with the environment or activity. For example, if someone tries to launch a sensitive application after hours for the first time, or tries to run a sensitive command on a server that is missing critical patches, consider stepping up the security and triggering to reauthenticate with multi-factor to be certain the identity is who they claim to be.

Implement Application Reputation Controls (whitelisting, blacklisting, and greylisting): Implement policy to allow known good applications and log or deny potentially deviant applications. If possible, restrict launching of end-user applications with critical known security vulnerabilities.

Enforce the Principle of Least Privilege: If a user does not need access to systems, applications, resources, or data, remove their privileges. Remove administrator rights on desktops for all users and servers where administrators should be performing only specific tasks.

Automate Password Management: Control and audit requests for administrative passwords and launching of privileged sessions. Require unique passwords across all privileged systems and accounts.

Eliminate Embedded Passwords: Replace hard-coded passwords in applications, in service accounts, and in automation tools supporting DevOps. Consider concepts like just-in-time access to only allow credentialed access for those fine instances when deemed appropriate.

Use Context-Based and Adaptive Access Controls: At some point, people need access to do their jobs. However, that access should continue to be locked down, monitored, and validated. Restricting access based on static elements, like time of day or subnet, is good, but restricting access dynamically based on risk (i.e., does a ticket exist for the access, does this request adhere to normal access patterns, have I received recent alerts from my threat detection layers, etc.) adds greater protections.

Monitor All Sensitive Privileged Session Activity (especially to crown jewels): Any type of privileged activity to the crown jewels should be session recorded, keystroke logged, and monitored for inappropriate activity. If possible, the initial session review should be automated to rapidly identify a potential threat.

Understand Obligations to Auditors and for Compliance: IT and security professionals perform multiple diverse functions to secure a business. They should not do them as a checkbox for compliance. Understanding the exact nature of the requirement and the best way to meet the mandates can make everyone more secure and, ultimately, auditors happy (if there is truly ever such a thing). And just remember, being compliant alone does not make you secure. However, making your organization secure generally does make it compliant.

Implement Threat and Advanced Behavioral Monitoring: Implement privileged access security event monitoring and advanced threat detection (including user behavior monitoring) to more accurately and quickly detect compromised account activity, as well as insider privilege misuse and abuse.

Segment Your Network: Group assets, including application and resource servers, into logical units that do not trust one another. Segmenting the network reduces the “line of sight” access attackers have into your internal systems. For access that needs to cross trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and privileged session monitoring. Where possible, go beyond standard network segmentation. Segment based on the context of the user and privileges, and the resources, applications, and data that they are accessing. This is also known as micro-segmentation. If possible, even consider zero trust for your newest initiatives to segment authentication.

If You Are NOT Having Fun, You Should Get a Different Job: If a security professional is unhappy, they are not doing their job correctly. All the preceding items are potentially at risk, and so is the business. Security professionals need to be happy with their work, satisfied with the environment, and challenged on a regular basis. Security is ever-changing, complacency in security is death, and being unhappy will let the latest threat walk right past you. A threat actor does not care if you are happy or not, they just want your administrative accounts.