Connect with us

Hi, what are you looking for?


Identity & Access

Privileged Accounts Still Poorly Managed

Despite Continious Warnings, Organizations Fail to Protect Privileged Accounts

Despite Continious Warnings, Organizations Fail to Protect Privileged Accounts

Privileged accounts are a primary target for both cyber criminals and nation-state adversaries. If they are lost, the castle will fall. Despite this, the defense of privileged account credentials still leaves much to be desired. A 2016 survey of 500 professionals indicated that nearly 70% of respondents were using ‘home-grown’ solutions to manage accounts. 

Little seems to have changed. This week, a separate survey indicates that 37% of respondents use internally developed tools or scripts, 36% use a spreadsheet, and 18% use paper-based tracking to manage at least some of their administrative and other privileged accounts. In fact, 67% of organizations use two or more tools to manage these accounts, suggesting widespread inconsistency in privileged account management.

One Identity surveyed (PDF) more than 900 IT professionals with responsibility for security and a knowledge of IAM and privileged accounts. Approximately 300 respondents come from the U.S., 300 from the UK, France and Germany; and 300 from Australia, Singapore and Hong Kong. All of the main industry verticals are represented in the survey; but technology dominated at 27%. 

Twenty-eight percent of the companies represented have more than 5,000 employees; 28% have between 2,000 and 5,000 employees; and 44% have between 500 and 2,000 employees. This preponderance of mid-range companies could bias the survey results slightly more towards SMB privileged account management than large enterprise privileged account management.

Nevertheless, the results are surprising, with basic best practices widely ignored. Eighty-six percent of organizations do not consistently change the password on their admin accounts after each use. Furthermore, 40% of IT security professionals don’t take the basic best practice of changing a default admin password, the survey found.

Once a system is breached — something that many security experts believe is inevitable and not preventable — adversaries seek to move deeper into the network. One early step is to locate legitimate user credentials. For example, in the Sony hack, the adversaries specifically looked for files named ‘passwords’. If such a file is found (and it reportedly was) containing plaintext user credentials — and especially administrative users — then the adversary can burrow deeper and more silently into the infrastructure.

Best practices in defending these credentials would be to protect them in a specific high security password vault, and to continuously monitor the use of privileged credentials throughout the network. One Identity found that only 54% of respondents use a password vault; and that while 95% of respondents log or monitor some privileged access, only 43% monitor all such access. 

Advertisement. Scroll to continue reading.

The effect is that in many cases an adversary can obtain privileged access, and then use that access without being detected. The result is unhindered, and probably invisible, lateral movement through the network.

Even where credential use is monitored, 32% of the respondents said they cannot consistently identify the individuals who perform administrator activities. The reasons are probably multifold. For example, 46% of respondents admit they have multiple administrators sharing a common set of credentials, while a far smaller number of admin users actively allow others to use their credentials.

“When an organization doesn’t implement the very basic processes for security and management around privileged accounts, they are exposing themselves to significant risk. Over and over again, breaches from hacked privileged accounts have resulted in astronomical mitigation costs, as well as data theft and tarnished brands,” said John Milburn, president and general manager of One Identity. “These survey results indicate that there are an alarmingly high percentage of companies that don’t have proper procedures in place. It is crucial for organizations to implement best practices regarding privileged access management without creating new roadblocks for work to get done.”

Related: Many Enterprises Fail to Protect Privileged Credentials 

Related: Defending Against the Insider – Strategies From the Field 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...