Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Privileged Credentials Remain Security Weak Point

Privileged Accounts Attacks

Privileged Accounts Attacks

A new survey suggests that while security awareness is improving, security preparedness is not keeping pace. The associated report, CyberArk’s Global Advanced Threat Landscape 2016, “juxtaposes rising confidence in cyber security strategies and leadership, with poor IT security habits that persist across the enterprise in critical areas such as privileged account security, third-party vendor access and cloud.”

The survey was undertaken by Vanson Bourne for CyberArk. It questioned 750 IT and security decision makers from eight countries across North America, EMEA and APAC; and the results, suggests CyberArk, are that while business is listening to the lessons of history, it is not necessarily applying the correct response.

Seventy-nine percent of the respondents claim to have learned lessons from major publicized breaches. Twenty-five percent of these have improved malware detection, 24% have improved endpoint security, and 16% have invested in security analytics as a direct result of these lessons. Nevertheless, 40% still store privileged and/or admin passwords in a Word document or spreadsheet on a company PC/laptop, and 28% use a shared server or USB stick.

This confirms results from other recent surveys that suggest many companies fail to adequately protect their privileged accounts. 

Upcoming Webcast: Identity Assurance in the Modern Enterprise – Register Now

The reality is that abuse or misuse of privileged credentials is used in the majority of major breaches. The credentials can be spear-phished directly, or located onsite during an attack if they are not adequately secured. Once acquired by the attacker he (or she) is better able to hide his presence, explore the network and steal data without being detected. “While 71% of respondents say they use a privileged account security solution,” notes the report, “it’s clear the adoption of best practices lags far behind. For example, while respondents rank privileged account takeover as the second most difficult stage of a cyber attack to mitigate, organizations aren’t making it harder for attackers.”

The reason for this apparent anomaly could be found in an awareness disparity. While seventeen percent of business/technical staff rank privileged account security as their top concern, only 10% of C-level executives feel the same. “This indicates the need for greater C-suite education and awareness about privileged account security threats, and potential for direct business impact,” says the report.

It could be down to something as little as leadership being reluctant to provide budget for a secure third-party solution when, in theory, it can be handled easily enough in-house. But it’s this in-house handling that would be behind the account credentials being stored on insecure Word documents and spreadsheets. 

Insecure control over credentials also allows access via the supply chain (it was via a supplier that the hackers gained initial entry to Target). While CISOs can gain visibility into their own processes, it is less easy, and less obvious, that similar visibility and control is necessary over third parties.

“Many third parties, including vendors, contractors, consultants and service providers have authorized access to networks, allowing them to change, alter or impact the operational service of the target organization.” In fact, 49% of respondent organizations allow third party vendors access to their internal networks. And demonstrating that organizations are still not learning from past mistakes, the public sector “has the least third-party vendor access controls in place with 21% not securing activity, and 33% not monitoring that activity.” This is despite the massive OPM hack where social engineering was used by the attackers to obtain the credentials of a third-party contractor.

The findings of this year’s Global Advanced Threat Landscape Survey demonstrate that cyber security awareness doesn’t always equate to being secure,” suggests John Worrall, CMO at CyberArk. “Organizations undermine their own efforts by failing to enforce well-known security best practices around potential vulnerabilities associated with privileged accounts, third-party vendor access and data stored in the cloud.”

Upcoming Webinar – Tuesday, Sept. 27 at 1PM ET

Avoid the Breach: Identity Assurance in the Modern Enterprise

Register Now

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...