The Financial Times broke a story last night about how the British Intelligence service MI5 was warning CEOs at major businesses that, “Foreign intelligence agencies are targeting IT workers at big businesses, hoping to recruit them and gain privileged access to sensitive computer systems.”
This is eerily similar to the story that emerged out of the Edward Snowden documents highlighting that the NSA was actively hunting sysadmins.
The reason that hackers, foreign agents and even our own government targets IT and sysadmins has nothing to do with the people holding those positions – it’s the privileged and administrative accounts that they have access to.
Privileged accounts are the most powerful in any organization and are designed to manage network systems, run services, or allow applications to communicate with one another. They are the proverbial keys to the infrastructure – which is why attackers or malicious insiders seek to steal and exploit them.
These accounts can provide absolute control over a company’s infrastructure, which is why security researchers like CyberSheath have highlighted that these accounts have been at the epicenter of 100 percent of all advanced attacks.
Attackers typically use techniques such as phishing to steal these privileged and administrative credentials. By exploiting these privileged accounts, they’re able to turn a company’s infrastructure against itself and cover their tracks. The result is that the attackers have broad access to every system on the network – and because these accounts are typically shared among IT, any malicious activity often appears to security systems as an employee traversing the network.
Symantec recently said in the Wall Street Journal that the perimeter is dead and that security should start from the inside. This is exactly why unmanaged privileged and administrative accounts need to be treated as critical vulnerabilities.
Organizations that focus on the people who have access to these accounts without monitoring, controlling and managing the accounts themselves are leaving themselves open to potentially devastating attacks.
The common denominator among all advanced attacks is that they occurred through an exploited privileged account. Attackers understand this. It’s time for businesses to understand the pattern as well and proactively address these critical security gaps.