by Derrick Pyle
If you read this blog, you’ve seen posts about privileged accounts being the primary target for advanced enterprise cyber-attacks. We’ve issued press releases, written blog posts, and spoken to the media about privileged accounts being exploited to perpetrate some of the most devastating cyber-attacks in recent memory. We’re not the only ones calling this out – just check out the latest Mandiant or Verizon security reports. This leads to the question: if everyone knows that attackers are targeting privileged accounts, why does this keep happening and why aren’t businesses doing more to protect these accounts?
We have a few ideas – but we wanted to get to the bottom of this by asking security and IT professionals on the front line their thoughts on the topic. At a series of IT security conferences in the US and Europe, we conducted the 2013 Privileged Account Security & Compliance Survey, asking 236 security professionals and C-level execs about their privileged account security practices.
We’ll break down all the results in subsequent postings (and you can download the entire survey here ), but we want to address the question asked above – if attackers are targeting privileged accounts, why aren’t organizations protecting them better? The answer isn’t shocking unfortunately – companies simply don’t know how pervasive privileged accounts are within their own organization.
When asked to estimate the number of privileged accounts in their organization, 86 percent of respondents from large enterprises (5000+ employees) stated they either didn’t know how many accounts they had, or that they had no more than 1 per employee.
Even if you exclude the “I don’t know” responses, here’s why this is a gross underestimation. Based on our internal research across more than a thousand customer deployments, we’ve conservatively determined that the number of privileged accounts in an organization is typically 3 to 4 times the number of employees. So if you have a 5,000 person company, that means you have, conservatively, more than 15,000 – 20,000 privileged accounts.
That sounds like a lot – because it is. Here’s why the number is so high. Privileged accounts were typically only thought of as the powerful IT administrator or superuser accounts – but the notion of privileged accounts has expanded to include default and hardcoded passwords, application backdoors, and more. These access points exist in almost any device with a microprocessor and each one represents a vulnerability for an organization.
Attackers know these weak spots exist and can often find these default credentials through a simple Internet search. Like, for instance, the researcher who created a massive Botnet army out of 420,000 embedded devices that were using default credentials. Or the thousands of critical infrastructure devices that were protected only by default passwords and were easily found through the Shodan search engine.
This is why we launched Cyber-Ark DNA – to help organizations identify these vulnerabilities by scanning and analyzing privileged accounts across their networks. The problem will never be fixed until we first understand and accept the scope of the challenge we face.