by David Kemp
CyberArk’s recent Privileged Awareness Survey highlighted that 86 percent of large enterprise organizations either do not know or have grossly underestimated the magnitude of their privileged account security problem, and that 37 percent of all organizations have no idea where privileged accounts exist in their organization.
One of the primary reasons for this lack of knowledge around privileged accounts is that businesses are still using traditional IAM systems to manage these accounts. While IAM works to provide single sign-on and user provisioning for the vast majority of employees, these systems are simply not designed to manage privileged and administrative accounts. Frequent changes in the duties and systems under management prevent IAM systems from providing the control and management needed for these accounts.
As a result, many organizations have a ‘black hole’ when it comes to controlling the most powerful accounts in their organization. Here’s why this is a major problem, and why 100 percent of all advanced attacks have a privileged component to the attack vector.
An organization of 10,000 employees might have about 500 people that can be described as IT admins or super-users. This is 500 people operating in the black hole, with no control and record of their activity using these powerful accounts.
But this is just the outer edge of the black hole. Here’s where it gets even scarier.
Admin and privileged accounts are typically ‘shared’ accounts – meaning that 20 Unix admins will share the root ID and password to maintain the 40 Unix systems, the 20 VM admins share the same ID and password for the 100 VM systems, and so on. This is the same for every system in your infrastructure. This same problem of shared accounts applies to network infrastructure (routers, firewalls, PBX, etc.). This also applies to every other system on the network, including ICS, SCADA, clinical and surveillance systems to name a few. Every system with a microprocessor has one of these accounts.
What this means is that every system in your organization has a ‘black hole’ that is every bit as powerful as the privileged accounts discussed above. These accounts are extremely hard to identify and account for because most organizations use disparate systems across their architecture. Cyber-Ark’s own research has shown that the typical organization has 3-4 privileged accounts for every 1 employee. So in the organization of 10,000 people, it means at least 30,000 of these accounts exist.
This is why privileged accounts are the number one target of cyber-attackers – they know these vulnerabilities can be easily found through internet searches and are typically secured by default or hardcoded passwords. Once they gain access to one of these accounts, they can easily move from system to system, elevating privileges to traverse the network until they reach their target destination – your IP and sensitive data.
Identifying these black holes is the first step to security – this is one reason why Cyber-Ark launched Cyber-Ark Discovery & Audit (DNA), a free assessment tool that rapidly locates all privileged, shared and generic accounts without having to install anything on target machines. This includes the many old, un-managed and out-of-compliance accounts that were left by ex-employees, contractors, and other business associates.