Last year, CyberArk issued a threat report: “Privileged Account Exploits Shift the Front Lines of Cyber Security.” The key findings provide an excellent primer on the role of privileged accounts in targeted attacks. The full report is a must read for security teams charged with proactively protecting internal networks.
The report is based upon interviews with seasoned threat investigators at five firms renowned for detecting, analyzing and remediating serious cyber security incidents at Global 1000 companies:
- Cisco Talos Security Intelligence and Research Group
- Deloitte & Touche LLP’s Cyber Risk Services and Deloitte Financial Advisory Service LLP’s Computer and Cyber Forensics Team
- Mandiant, a FireEye Company
- RSA, the Security Division of EMC
- Verizon RISK Team, Verizon Enterprise Solutions
In the report, these experts provided basic guidance to help companies detect and reduce misuse of privileged accounts:
- Know what privileged accounts you have, what they do and are supposed to do. Consider IT administrative credentials, default and hard-coded passwords, application backdoors, SSH keys, etc. Then, limit those privileges as much as possible to reduce the potential for abuse.
- Improve security of privileged accounts by changing default passwords and using different administrative passwords on each system. If attackers gain privileged access to one system, they usually will try the same password to gain access to all other similar systems within the company.
- Enforce one-time passwords that expire after a single use. For further protection, companies can encrypt their privileged account credentials and automate credential rotation.
- Proactively monitor privileged accounts and how they interact with data and technology assets. Do not passively wait for security tools to alert you of a problem. For example, scout for admin credentials that should not be accessing certain types of systems or for domain admins logging into many different parts of the network. If a privileged user is VPNing into the network from multiple far-flung locations in a short amount of time, that’s often a sign of fraudulent access.
- Perform regular, recurrent “housekeeping” of information assets and how they’re accessed. Develop and employ tight governance practices around the provisioning of user access and privileges and around data and asset classification. Scrub your Active Directory and all authentication/access points. Decommission privileged accounts that haven’t been used recently. Many will likely be service accounts with fixed credentials.
- Monitor and limit the privileges of service accounts. For example, if an account runs a particularly important service, it should never have remote access. In many cases, it shouldn’t even be usable through a graphical user interface (GUI). For example, a service account running a database should never need a GUI to access its services.
- Apply patches as quickly as possible. Many companies worry about zero day vulnerabilities, but such exploits are so valuable that attackers use them only in special circumstances and hardly ever on a widespread basis. For every zero day you hear about, there are millions of known vulnerabilities that can be eliminated through patching.
- Practice classic defense in depth. The more overlapping security layers in your environment, the more you lower your risks. Reducing vulnerabilities in privileged accounts can greatly impair the ability of attackers to maneuver within and manipulate critical IT systems.
As the year winds down, and you begin to plan for 2016, it’s a good time to review insights from security experts to ensure your proactive security measures reflect best practices. If you haven’t read this report, now is the time. Download the full threat report: Privileged Account Exploits Shift the Front Lines of Cyber Security.