Despite Continious Warnings, Organizations Fail to Protect Privileged Accounts
Privileged accounts are a primary target for both cyber criminals and nation-state adversaries. If they are lost, the castle will fall. Despite this, the defense of privileged account credentials still leaves much to be desired. A 2016 survey of 500 professionals indicated that nearly 70% of respondents were using 'home-grown' solutions to manage accounts.
Little seems to have changed. This week, a separate survey indicates that 37% of respondents use internally developed tools or scripts, 36% use a spreadsheet, and 18% use paper-based tracking to manage at least some of their administrative and other privileged accounts. In fact, 67% of organizations use two or more tools to manage these accounts, suggesting widespread inconsistency in privileged account management.
One Identity surveyed (PDF) more than 900 IT professionals with responsibility for security and a knowledge of IAM and privileged accounts. Approximately 300 respondents come from the U.S., 300 from the UK, France and Germany; and 300 from Australia, Singapore and Hong Kong. All of the main industry verticals are represented in the survey; but technology dominated at 27%.
Twenty-eight percent of the companies represented have more than 5,000 employees; 28% have between 2,000 and 5,000 employees; and 44% have between 500 and 2,000 employees. This preponderance of mid-range companies could bias the survey results slightly more towards SMB privileged account management than large enterprise privileged account management.
Nevertheless, the results are surprising, with basic best practices widely ignored. Eighty-six percent of organizations do not consistently change the password on their admin accounts after each use. Furthermore, 40% of IT security professionals don't take the basic best practice of changing a default admin password, the survey found.
Once a system is breached -- something that many security experts believe is inevitable and not preventable -- adversaries seek to move deeper into the network. One early step is to locate legitimate user credentials. For example, in the Sony hack, the adversaries specifically looked for files named 'passwords'. If such a file is found (and it reportedly was) containing plaintext user credentials -- and especially administrative users -- then the adversary can burrow deeper and more silently into the infrastructure.
Best practices in defending these credentials would be to protect them in a specific high security password vault, and to continuously monitor the use of privileged credentials throughout the network. One Identity found that only 54% of respondents use a password vault; and that while 95% of respondents log or monitor some privileged access, only 43% monitor all such access.
The effect is that in many cases an adversary can obtain privileged access, and then use that access without being detected. The result is unhindered, and probably invisible, lateral movement through the network.
Even where credential use is monitored, 32% of the respondents said they cannot consistently identify the individuals who perform administrator activities. The reasons are probably multifold. For example, 46% of respondents admit they have multiple administrators sharing a common set of credentials, while a far smaller number of admin users actively allow others to use their credentials.
"When an organization doesn't implement the very basic processes for security and management around privileged accounts, they are exposing themselves to significant risk. Over and over again, breaches from hacked privileged accounts have resulted in astronomical mitigation costs, as well as data theft and tarnished brands," said John Milburn, president and general manager of One Identity. "These survey results indicate that there are an alarmingly high percentage of companies that don't have proper procedures in place. It is crucial for organizations to implement best practices regarding privileged access management without creating new roadblocks for work to get done."
Related: Many Enterprises Fail to Protect Privileged Credentials
Related: Defending Against the Insider - Strategies From the Field
Tags: