Privileged accounts – which include administrative accounts, default and hardcoded passwords, application backdoors, and more – effectively deliver the ‘keys to the kingdom’, enabling widespread access to the most sensitive data held within a corporate network. Yet, despite the repeated warnings from security experts, these powerful internal privileges continue to be neglected and poorly secured. These credentials are commonly exploited as part of targeted attacks, both from rogue insiders and malicious attackers.
In recent years, several high-profile breaches have shown the grave security risks posed by unsecured privileged accounts and credentials. Indeed, the recent NSA leak highlighted the significant damage that can be caused by the abuse of internal privileges. As a former systems engineer and systems administrator for the NSA and senior advisor for the CIA, it was Edward Snowden’s user credentials that enabled him to view and subsequently leak the highly sensitive information he was privy to.
Albeit an extreme example of the insider threat, Snowden’s revelations regarding the astonishing level of control and access that he held within various technical positions paint an alarming picture. According to IDC’s Paul Strassman, “Systems administrators (like Snowden) are among the principal instigators of information systems sabotage. Insider sabotage happens when a person already possessing access privileges inflicts damage by exploiting flaws in the management of an organization.”
Whereas the insider threat has traditionally been associated with the abuse or misuse of privileged credentials from within an enterprise – be it through the actions of a hapless or a malicious employee – the insider threat can also refer to the use of internal credentials by external contractors. The practice of outsourcing is now commonplace and this extends the risk of an organization falling victim to an ‘insider job’. Further broadening the risks associated with internal privileged accounts is the fact that these powerful credentials are now highly sought-after by cybercriminals. Indeed, the issue of internal security has been underlined by the rise in advanced and targeted cyber-attacks, which have been proven to propagate via these internal privileges.
Protecting and auditing privileged accounts is now mandatory – a requirement that has been recently driven by the rise in targeted cyber-attacks and the continued threats posed by internal users. However, to what extent does compliance ensure security? In increasingly challenging times for organizations as the cyber threat level continues to escalate, are you fully confident in the security strategy of your company? With advanced and targeted attacks on the rise, is your workforce equipped with the knowledge and tools required to ward off today’s highly sophisticated cyber attackers? In the event of a breach, are there the necessary controls in place to ensure that minimal damage is done? The fact is that that the majority of CEOs that answer yes to all of these questions are either grossly underestimating the problem facing their business, or are overconfident of their business’ ability to counter the threats it faces.
The Scale of the Problem
To ensure that the necessary controls are in place around these immensely powerful credentials, an organization must first be acutely aware of the full extent of the issue within their enterprise. Indeed, only once IT decision makers can identify the exact number of privileged accounts and access rights in existence within their network; who should and who does have access to these controls; and exactly where these accounts live, can an effective security strategy be achieved.
Privileged accounts can be found in any device with a microprocessor, which includes PCs, databases, and networked devices, including photocopiers, operating systems, among others. However, recent research found that over a third of C-level executives demonstrated that they did not understand exactly where privileged accounts exist within a network, and the full extent of the resulting security issue.
The survey also revealed that executives are grossly underestimating the number of privileged accounts that exist within their network. Based on the examination of over 1,200 customer deployments, Cyber-Ark determined that the number of privileged accounts in an organization is typically three to four times the number of employees. However, when asked to estimate the number of privileged accounts in their organization, 86% of respondents from large enterprises – with 5,000 or more employees – reported that they either did not know how many they had or that there were no more than one per member of staff. Worryingly, this indicates that at least two out of every three privileged accounts within these organizations are unknown, and as a result, are highly likely to be unmanaged.
Furthermore, the research found that even the known accounts are oftentimes poorly protected and shared, with 51% of organizations surveyed reporting that privileged and administrative passwords were shared among “approved users”. This lax security also appears to be more widespread within larger enterprises, where 56% of respondents stated they shared privileged passwords, as opposed to 47% of SMBs, with 5,000 employees or less.
The approach organizations are commonly taking to protecting assets from the inside is clearly due an overhaul. The same survey found that despite 82% of respondents stating they have processes in place for changing privileged passwords, 49% of all businesses take 90 days or longer to change them, while 74% take 60 days or longer. This problem is again greater within larger enterprises, where 53% take 90 days or longer to change privileged passwords.
Poorly secured or shared passwords leave organizations vulnerable to attack. According to Gartner, “Sharing super-user account passwords dramatically increases the risk that a password may become known outside the intended groups. Furthermore, poorly controlled use of shared accounts cannot provide the individual accountability that is a security best practice and demanded by regulatory compliance.”
The APT Privileged Factor
The power of privileged accounts cannot be over-emphasized, as these credentials have been exploited in the execution of some of the most damaging cyber-attacks and data breaches in recent years. Take the incidents involving Saudi Aramco, Global Payments, Subway and the attacks on South Korean banks and broadcasters, as high-profile examples of the potential fall-out that can ensue from the neglect of internal privileges. A recent report from security firm Mandiant (subsequently purchased by FireEye) considered the growing issue: “APT intruders prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.”
Despite the fact that awareness around advanced targeted attacks is higher than ever before thanks to ongoing media coverage, it is clear organizations are failing to secure these primary attack vectors. Indeed, there appears to be a disconnect between organizations identifying the privileged connection in APT attacks and putting in place the necessary controls and best practices to mitigate the threat facing their business.
A Five-step Guide
Enterprise IT teams often focus primarily on keeping on top of an evolving set of demanding compliance requirements and regulations; however, this can be counterproductive. Meeting a lengthy set of minimum requirements may ensure your organization is compliant in the short-term, but to what extent is it truly secure against the ever evolving threat landscape? Not only does the process of ‘ticking boxes’ demand a substantial amount of a workforce’s time, but it can also take the focus away from the importance of protecting what really matters within an organization and staying one step ahead of the rapid developments in the cyber threat landscape.
By implementing best-security practices, compliance will follow. With this in mind, organizations must now be focusing on the following areas to achieve an effective and robust cybersecurity strategy in line with growing threats that will also increase compliance levels if these standards are met:
- Assume that attackers are already on the inside – In the same way that locked doors within your house will restrict a burglar once inside your property, enterprises must consider a similar situation within their corporate network. Perimeter-based defenses are infiltrated with relative ease by today’s attackers. With this in mind, the focus should be on making life as difficult as possible for hackers or malicious employees, by putting in place robust controls around internal privileges.
- All privileged/administrator activity must be monitored – Organizations should have a system in place capable of logging and recording all session activity in real-time, flagging any suspicious activity with the option to immediately terminate a session if necessary.
- Limit privileged access only to those whose role requires it – While this may seem an obvious point, you may be surprised to learn who has access to information or applications that simply aren’t appropriate to their role.
- Sensitive information should be stored in a secure repository – Employees operating via these privileges should not be able to view and withdraw the most sensitive information existing in the corporate network without challenge. Instead, this access should be monitored and restricted according to stringent protocols.
- Allow users to connect without disclosing the password – This is an important security measure for businesses, particularly those that outsource to third parties, as the ability to control and monitor activity may not be as stringent. For instance, a proxy server will ensure that all privileged credentials are isolated from the target server or device, providing a single control point and preventing attackers from bypassing the privileged account protection and audit system.
Put simply, to effectively minimize the growing risks of an enterprise falling victim to an attack or breach, IT teams must be equipped with the knowledge as to where privileged accounts exist, in what number, and with a system in place that is capable of monitoring and controlling access to these credentials. Although compliance is a fundamental concern of organizations of all sizes, this must not be allowed to cloud the issue. The cyber threat landscape is evolving rapidly, and organizations must move fast and smart to keep pace.
Udi Mokady is the president and CEO of CyberArk Software, and a pioneer in establishing the privileged account security software market. Since co-founding the company in 1999, Mokady has also served as CyberArk’s chief strategist and visionary, overseeing global expansion, management, execution and corporate development. Prior to CyberArk, Mokady specialized in legal management and business development for international high-tech companies. He previously served as the general counsel at Tadiran Spectralink, a highly specialized producer of secure wireless communications systems.
A veteran of a Military Intelligence unit, Mokady holds a law degree (L.L.B.) from Hebrew University in Jerusalem and a master of science management degree (MSM) from Boston University.