by Josh Arrington
As part of this week’s IT Security Rewind, we have decided to take a deeper examination into recent massive data breaches to demonstrate how attackers continue to exploit administrative and privileged accounts to conduct their system-wide damage. We’ll also preview our soon to be released eBook, which covers similar ground through an even more historical examination and discussion of solutions to effectively manage, secure and mitigate the threats associated with privileged credentials.
Data Breaches Gone Wild
First, let’s take a look at some recent attacks that have forced IT insiders and stakeholders to reevaluate their proactive approaches to security and access control:
- Last December, the U.S. Chamber of Commerce confirmed that compromised administrator accounts led to an attack by Chinese hackers. The breach compromised the information of the Chamber’s 3 million members.
- In March of this year, a Global Payments breach exposed financial data belonging to 1.5 million uses of Visa and Mastercard. Analyst firm Gartner has claimed the attack resulted from a weak authentication mechanism that enabled access to an administrative account.
- Most recently, this month, attackers were able to exploit health records stored by the Utah Department of Technology Services by cracking a “weak” default administrative password. Once inside, the servers, and the data housed there, were compromised.
The Privileged Pathway
In all three of these well-publicized cases, hackers were able to bypass perimeter security controls to gain access to target systems through the same poorly protected and wide-open gateway: privileged and administrative accounts. In each case, once inside, attackers leveraged the privileged account to gain access to additional servers, databases and other high-value systems that only a select few people are actually granted permission to access. The result, as demonstrated by the above, is easy access to millions of sensitive records.
Unfortunately these accounts have emerged as a primary target for hackers because infiltration is possible through rather simple means—an easy-to-crack password, spear-phishing or exploitable zero-day vulnerability. In the Utah case, it was a weak password that was supposed to protect a very sensitive privileged access point on a server that caused the breach.
The Problem with Sharing
The problem that continues to persist is that privileged accounts are often shared with passwords that are rarely changed. This remains the great paradox in the world of identity and access management and security in general—while attackers are targeting these incredibly sensitive access points, personal passwords to websites such as Facebook have even higher standards of security and strength.
These vulnerabilities are not limited to a specific industry – we see it across the spectrum. In fact, this is very similar to the weaknesses and vulnerabilities at the Bonneville Power Administration highlighted by the Energy Department. Auditors uncovered 11 servers configured with weak passwords – including one that hosted an administrative account with a default password.
While troubling, reports of this nature are commonplace and are a contributing reason as to why we continually see massive breaches of this nature in the headlines.
Cyber Attacks and Privilege: Stay Tuned for More
For Cyber-Ark, these trends and developments are startling but not novel. Next week, we’ll be releasing a new eBook—“Don’t Give Cyber Attackers the Privilege–focused specifically on the proliferation of cyber attacks targeting unmanaged privileged accounts. The report outlines a history of this abuse dating back to January 2010 through a compilation of privileged-related attacks. The eBook also outlines the steps required to control these access points through privileged identity management.