Security Experts:

Attackers Capitalizing On Poorly Managed Privileged Accounts

Attackers Access Privileged Accounts

While attackers can break into networks using complex techniques, the reality is that most data breaches occur when attackers manage to get their hands on login credentials to administrator and other super-user accounts.

Corporate and government IT systems are increasingly handling sensitive information, such as personally identifiable information, financial data, and even health records. These systems need to have appropriate security measures so that the data is safe, from both external adversaries and from malicious insiders. The problem is, many organizations aren't adequately controlling or auditing who has access to privileged accounts, said Adam Bosnian, EVP Americas & Corp. Development at Cyber-Ark Software.

Privileged access points consist of privileged and administrative accounts, default and hardcoded passwords, and application backdoors, Bosnian said. Employees can use these privileged accounts to access the organization's most sensitive data across systems, applications, and servers.

"Unsecured critical access points are a threat to all sensitive corporate data and systems and represent the greatest security challenge most businesses will face," Bosnian said.

These accounts tend to be poorly managed, or neglected entirely, Bosnian said. Organizations may allow multiple users to share these accounts, which make it hard to figure out who performed which actions. The passwords are generally weak, and rarely changed. In the past, organizations generally focused on insider threats when thinking about privileged access points, but now cyber-criminals are increasingly targeting these accounts, Bosnian said.

On Tuesday, Cyber-Ark released its Privileged Identity Management Suite for Critical Infrastructure Protection to secure, manage, and monitor all privileged account access and activities across the operational environment to prevent potential cyber-attacks. PIM/CIP would manage privileged identities and secures remote vendor access, the company said.

Many critical infrastructure organizations have interconnected corporate IT systems and are now linked with traditionally segregated operational networks, making it possible for attacks on one network to affect other areas, Cyber-Ark said. The typical operational environment includes thousands of servers, databases, process logic controllers, Industrial Control Systems (ICS), network devices and applications which are all controlled by various privileged and shared administrative accounts, the company said.

"The security, control and auditability of these privileged access points are often neglected, while usage is hard to monitor," according to the company.

Securing Privileged Accounts Cyber-Ark PIM/CIP allows critical infrastructure organizations to identify all privileged accounts and associate them to authorized users so there is full accountability and usage is tracked. Real-time monitoring and recording means organizations know what is happening, and can terminate suspicious activity as soon as it is detected. Organizations can also enforce policies around privileged password usage, strength, and automatic replacement.

Businesses need to make controlling the access points a priority. A Gartner research report recently warned that organizations should "ensure that end users do not have administrative access" in order to reduce the impact of social engineering attacks.

In a survey co-sponsored by Quest Software (now Dell) and Microsoft earlier this year among global IT professionals, half of the respondents said the top compliance issue in their organizations was ensuring correct user access rights. "This challenge intensifies when administrators are given the 'keys to the kingdom,' with far-reaching, shared anonymous access rights to vital IT systems," Quest said.

Privileged accounts were behind some of the more headline-grabbing incidents this year, Bosnian said, citing Flame, the South Carolina data breach, and even the Shamoon attacks at Saudi oil giant Aramco which investigators are claiming had insider help. Flame relied on the same privileged exploit as Stuxnet, the printer spooler vulnerability , to propagate itself throughout the network, Bosnian said. However, privileged accounts aren't just being used for cyber-espionage and state-sponsored attacks. These accounts "are also the pathways that cyber-criminals are using to steal IP and data from businesses," Bosnian warned.

Organizations are also aware of the risks. In Cyber-Ark's 6th annual global IT security survey, businesses said the exploitation of privileged account access played a prominent role in "most of the world’s most notorious data breaches," Bosnian said. Even so, 43 percent of respondents said their organizations did not monitor how privileged accounts were being used, or were unsure whether it was happening.

"At some point, businesses and government organizations need to wake up and understand that privileged accounts and passwords are the number one target for hackers," Bosnian warned.

Related Reading: Stolen Login Credentials, Poor Security Practices Led to South Carolina Data Breach

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.