Hunting Privileged Account Vulnerabilities with CyberArk Discovery & Audit (DNA)
March 24, 2017 | Security and Risk | Lauren Horaist
It’s widely understood that cyber intruders and internal threat actors seek and exploit privileged accounts to help them achieve their goals. Security experts advise organizations to know what’s on their networks and know it better than any potential adversary.
But discovering and locking down all of the privileged accounts within your enterprise is easier said than done—especially when you consider there are typically 3-4x more privileged accounts than people in the average organization. These accounts “live” in hard-to-reach places within your network including applications, endpoints, servers, databases and the cloud.
Here are some challenges organizations encounter when working to simply understand—let alone protect—privileged accounts in their environments, for example:
On premises and some cloud environments:
- There are often multiple accounts associated with one person and all of them have admin privileges.
- Many passwords are set to never expire to mitigate the risk of an interruption or issue.
- Many privileged accounts are mistakenly thought to be unused, but in reality, are used to log into systems regularly. Worse, it’s hard to pinpoint who is currently using them.
- Service accounts with “recently created” passwords have actually been using the same passwords for years—sometimes even a decade.
- It’s often difficult to locate hard-coded or embedded credentials stored within applications.
Specifically in cloud environments:
- In AWS, Elastic Cloud Compute (EC2) instances can be accessed using both EC2 private keys and individual AWS accounts.
- AWS root account credentials can be shared among multiple users, putting these highly sensitive credentials at an increased risk of loss or theft.
- In the cloud environment, it can be challenging to manage roles-based and temporary access.
How can you determine where all of your privileged accounts are before your attackers do? Take the first step by scanning your network with our CyberArk Discovery & Audit™ (DNA) tool available at no charge. One scan will help you discover the privileged attack surface of your organization by identifying where privileged accounts exist on-premises and in the cloud, your current privileged account security risks, accounts with local administrator rights, and machines that are vulnerable to credential theft attacks (such as credential harvesting, Pass-the-Hash, Overpass-the-Hash and Golden Ticket). Last year, our CyberArk DNA tool scanned more than 21 million machines, helping organizations take the first step towards reducing privileged account risks.
Enterprises that fail to prioritize the security of their privileged accounts are at risk of becoming victims of a cyber attack—which can mean major damage to business, reputation and even the ability to operate. Take the first step toward securing your privileged account environment. Run the CyberArk DNA scan today.