Most Windows-based network devices that hold sufficiently privileged credentials to enable attackers compromise other machines and accounts have been found to be susceptible to compromise, a recent report from CyberArk Labs reveals.
According to the report (PDF), dubbed “Analyzing Real-World Exposure to Windows Credential Theft Attacks,” 88 percent of the analyzed Windows-based workstations and servers could be compromised through privileged account credential theft or abuse. Collected from over 50 networks, the data sheds light on the risk associated with machines that are considered highly threatening.
The study also revealed that an average of over 40 percent of the analyzed machines could provide cyber attackers with the necessary credentials to launch an attack capable of compromising the entire network of an organization. Thus, the security firm notes that no organization that has Windows hosts in its network is safe from compromise of those hosts through credential theft attacks.
Servers are more likely to put an enterprise network at risk than workstations, mainly because they usually offer greater access to sensitive data when compared to individual workstations. An in-depth analysis of a subset of 11 networks revealed that the percentage of servers at high-risk was 10 times greater than that of workstations for some networks, while others included not threatening workstation.
The researchers behind the study note that attackers who are successful in compromising a server instead of a workstation have greater chances of being able to steal credentials and to continue the attack on multiple hosts. They also say that, regardless of the initial breach point, attackers are usually motivated to move laterally to a server to ensure compromise through stealing privileged credentials.
The report reveals that most high-risk accounts (defined as those accounts that can an enable direct access to over 80 percent of the Windows hosts on the network) in all networks are used for interactive sessions. The number of high-risk accounts lowers when they are used for both automated processes and interactive sessions, and is lowest when used only by automated processes.
“In a given network, there are typically a number of highly threatening machines that can give an attacker the credentials needed to completely compromise the majority of Windows hosts on the network. We’ve seen similar credential theft methods as the basis for major attacks across a number of organizations. Identifying these machines and securing the associated privileged credentials against theft and exploitation is a critical step in securing against advanced cyber attacks,” Andrey Dulkin, director of cyber innovation at CyberArk Labs, said.
Since most networks in real world include Windows hosts and privileged accounts, organizations are advised to consider mitigation techniques to minimize compromise risks. To lower the risks involved with privileged accounts used for interactive sessions, organizations can use privileged local accounts instead of privileged domain accounts, as well as one-time passwords through automated tools that change the password after every use of a privileged account.
When both interactive session and automated process accounts are used, organizations can grant each privileged account access to a small subset of the hosts in the network and they can also choose to implement limited privileged domain accounts. For the accounts used only for automated processes, CyberArk suggests that companies avoid embedding usernames, passwords, and/or other credentials in processes or in their proximity and should instead use a centralized system that can provide credentials to automated processes on demand.
Dell this week published the results of a global survey (PDF) on privileged account management revealing that 76 percent of the responding IT security professionals believe that improved control can reduce the likelihood of a security breach.
According to Dell’s survey, 83 percent of respondents face challenges with the management of administrative or other privileged accounts, which renders businesses vulnerable to security breaches. However, 75 percent of the surveyed IT security professionals revealed that they do have a defined process for managing privileged accounts, albeit they don’t always follow it.
Dell’s survey also revealed that 30 percent of the respondents still use manual processes like Excel or other spreadsheets to manage privileged accounts, which slows their response time in critical situations significantly. Only 26 percent of the respondents say they change administrative or other privileged passwords on mission critical systems and devices on a monthly basis, but most of them change these passwords less frequently.
37 percent of survey respondents who revealed they face issues with privileged accounts management also say that the most critical challenge for their organizations is the fact that the default admin passwords on hardware and software are not consistently changed. 37 percent of respondents also say that another issue is the fact that multiple admins share a common set of credentials, while 31 percent cite the inability to consistently identify individuals responsible for administrator activities.
According to the survey, IT administrators believe that delegation (the ability to provide admins only with the privileges they need to do their job) and password vaulting (the automated storage, issuance and changing of credentials) represent critical practices for the administrative or privileged account management within their organizations.
Despite that, less than half of respondents record, log and monitor administrative or other privileged access on a regular basis. Thus, enterprises are susceptible to hacks and breaches aimed at exposing corporate data, especially when a multitude of software tools and manual processes are used for the management of privileged accounts, Dell says
“Privileged accounts really are the ‘keys to the kingdom,’ which is why hackers seek them out and why we’ve seen so many high-profile breaches over the past few years use these critical credentials. To alleviate this risk and ensure these accounts are controlled and secured, it’s absolutely crucial for organizations to have a secure, auditable process to protect them. A good privileged account management strategy includes a password safe, as well as least-privileged control to protect organizational assets from breaches,” John Milburn, executive director and general manager, Identity and Access Management, Dell Security, says.
Dell’s survey of more than 560 IT technology professionals responsible for security was conducted across the United States, United Kingdom, Germany, Australia and New Zealand.
