Organizations underestimate how cyber-attackers can take advantage of privileged accounts for malicious purposes, according to a new survey.
Despite the risks, half of the organizations in Cyber-Ark Software’s global IT security survey admitted to sharing passwords to privileged accounts among “approved” users. The problem was more widespread in larger enterprises, with 56 percent acknowledging the password sharing compared to 47 percent in smaller enterprises.
“Organizations are having a difficult time understanding the magnitude of this security problem in their environments because privileged accounts exist everywhere,” said John Worrall, chief marketing officer of Cyber-Ark.
Cyber-Ark estimated that organizations generally have privileged accounts three to four times the number of employees. However, when asked, 86 percent of large enterprise organizations either did not know or “grossly underestimated” the magnitude of their privileged account security problem, saying they had only one privileged account per employee.
“That means at least 2 out of every 3 privileged accounts in these organizations are either unknown or unmanaged,” according to the survey.
Privileged accounts include superuser and administrative accounts, default and hardcoded passwords, and application backdoors. Mandiant’s APT1 report earlier this year highlighted how attackers are going after domain administrators, service accounts with domain privileges, local administrator accounts, and other privileged user accounts. They provide direct access to the organization’s most sensitive data, but organizations continue to have a difficult time identifying and managing these critical vulnerabilities, Cyber-Ark said.
While 63 percent of the respondents were able to identify where privileged accounts can be found, the remaining were not aware that networked devices such as copiers and printers posed a risk if their passwords were not managed. Many organizations are not aware that unsecured access points can pose a threat to sensitive corporate data and systems.
Even though privileged accounts are increasingly being targeted in advanced enterprise attacks, organizations are not implementing best practices around privileged accounts, Cyber-Ark found. A recent CyberSheath report found that theft, misuse, and exploitation of privileged accounts was a “key tactic” in advanced persistent threat and other targeted attack campaigns.
The recommended practice is to change passwords for these accounts, at most, every 90 days. In the survey, 82 percent of respondents said they had processes in place for regularly changing passwords, but 53 percent of enterprises said they take 90 days or longer to change them. About 76 percent said they took 60 days or longer.
Recent attacks may be a sign that waiting 90 days is too long, Cyber-Ark said.
“It has become clear that privileged accounts are a priority target for cyber-attackers – every new report highlights this, and every new attack reveals the privileged pathway the attackers are travelling,” Worrall said.
Organizations need to identify where privileged accounts exist, control access to them, and monitor exactly what is being done with them, Cyber-Ark recommended. By automating the processes, organizations would be able to consistently enforce controls and manage risk more effectively, Worrall said.
The Privileged Account Security & Compliance Survey examined responses from 236 IT managers and C-level professionals at large enterprises across North America and Europe.
