There’s an elephant in the room. A growing number of organizations proactively mitigate cyber security risks by improving privileged access controls, yet many still have powerful accounts across their environment for which the credentials have never been changed. I’m referring to the commercial off-the-shelf (COTS) applications that often require the same access to privileged accounts as IT admin users. The privileged credentials accessed by applications are typically not well maintained, managed or secured. Awareness of the security risks associated with embedded credentials is growing.
Applications that use embedded credentials can be very attractive targets for adversaries. Often these applications require highest-level privileges to perform intended functions such as resetting a service, conducting a vulnerability scan or initiating a back-up. This means the accounts also have extensive access to sensitive systems and data. The associated security risks can be great – especially when you consider that many organizations have thousands of embedded credentials across their environment, and each represents a potential pathway for attackers – increasing the magnitude of risk. As Jim Connelly, CISO of Lockheed Martin points out, “If [adversaries] get a hold of an over-privileged account, they’ll run through the environment like a brushfire.”
Dealing with credentials used by applications can be one of most challenging aspects of securing privileged accounts, since mitigation often involves refactoring a wide range of applications – from vulnerability management and IAM/governance tools to DevOps, data management and cloud tools. Quite a formidable task if automation mechanisms are not in place.
I admire about the way leading enterprise CISOs address such challenges. They don’t stick their heads in the sand, nor do they frame the issue as a binary, i.e. “We can’t do anything about this problem” or “There is only one right way to solve the problem.” As part of the CISO View industry initiative, CyberArk released research entitled, “The Balancing Act: The CISO View on Improving Privileged Access Controls” to provide a roadmap for companies to address security holistically – including overcoming the embedded credential conundrum. Within the report, 12 security leaders describe a meaningful range of options for dealing with embedded passwords in applications. Some methods require coding, some don’t. Some focus on prevention, others detection. Some use compensating controls.
There are also three baseline best practices that every organization should consider implementing initially to better protect credentials used by applications and scripts:
- The credentials for the account should be stored securely. If an application obtains an account’s credential from a configuration file, an attacker can easily read it. Instead, reconfigure applications to call the password from an encrypted password vault.
- The account password or SSH key should be changed regularly. Changing a credential used by applications is often a sensitive issue, especially if it has been used for so long that nobody knows what the effects of changing it will be. Weigh the value of changing a credential against the operational risk associated with changing it.
- The application should be designed using the principle of least privilege. For example, an application that performs backups should not need permissions to install software.
This kind of pragmatic problem solving is what you’ll find featured in the CISO View report. The report also highlights ways to make security more personal for stakeholders, such as IT administrators and DBAs, across your enterprise. We’ll explore that topic further in another article. Download the full report.
