Excessive Admins and Privileged Security – Part I
Roger Grimes of InfoWorld proved once again that he’s one IT security influencer who truly understands the privilege account problem that organizations face. His recent column, “Too many admins spoil your security,” was a microcosm of why poor privileged and admin account security is the number one security problem organizations currently face.
Roger Grimes, InfoWorld security columnist
Roger shared the story of a client (he currently works for Microsoft as a Principal Security Architect) that “literally had thousands of application administrators. They have thousands of applications, many of which have hundreds of administrators; in fact, for some of those applications, every user was an administrator.”
As Roger points out – having thousands of application administrators is a nightmare scenario waiting to happen. If you read this blog, then you know that these accounts are the most powerful in any organization and give wide ranging access to almost any system on a network. This is why privileged accounts have emerged as the priority target of cyber-attackers.
Why is this a problem? As Roger states, “Every additional administrator causes linear-to-exponential growth in risk. Every additional admin doesn’t just increase his or her own risk; if they’re compromised, they add to the takedown risk of all the others. Each admin may belong to groups others do not. If a hacker compromises A and gets to B, B may more easily lead to C, and so on.”
This is exactly why we’ve been preaching that businesses need to focus on securing internal assets – and the pathways to those assets – before spending more time (and resources) on building bigger walls around the perimeter. We’ve seen time and again that motivated attackers will find a way through perimeter defenses, whether it’s through phishing, infected websites, etc.
Grossly Underestimating the Privileged Account Security Problem Part 3: Automating Privileged Account Management and Cyber-Ark DNA™ (Discovery & Audit)
Last week’s Privileged Account Security & Compliance Survey results highlighted that while the majority of organizations do in fact understand the power and significance of privileged accounts, most of them are surprisingly unaware of the scope of the problem. As our CMO John Worrall detailed for you in Part of 2 of our blog series, privileged accounts consist of privileged and administrative accounts, default and hardcoded passwords, application backdoors, and more. Unfortunately, the majority of organizations fail to grasp this and significantly underestimate the number of accounts that exist across their IT infrastructure.
In addition to highlighting the above, the survey also found that most organizations are using outdated, manual processes (such as spreadsheets) to identify and manage their privileged accounts. Consider this:
- 51 percent of organizations surveyed stated that privileged and administrative account passwords were shared among “approved” users.
- 53 percent of large enterprises (5,000+ employees) take 90 days or longer to change their privileged or admin passwords. (76 percent of large enterprises take 60 days or longer.)
In both cases, these findings point to a realization that many organizations fail to meet even the basics of privileged account security. Industry best practices indicate that passwords for privileged accounts should never be shared, and we recommend that any password changes should be automated and restricted to one-time use to ensure tight security standards.
This last point is important: We strongly recommend that privileged account management processes be automated to enforce controls. This also helps to provide a clear audit trail for accountability and security.
Automation is also key to privileged account discovery. Before concluding our blog series, we decided to bring John back in to leave you with more information on an important solution for your consideration. Here, John describes how Cyber-Ark DNA™ (Discovery & Audit) can help you identify where your privileged accounts exist, providing an accurate picture of the state of your enterprise privileged risk.
You can sign up here for a free risk self-assessment using Cyber-Ark DNA.
Google’s Insecurities
Want to know how to hack a building’s HVAC system? Normally, we would tell you to Google it – but in this instance, you can simply ask Google about their experiences.
Researchers recently uncovered that the industrial control system used to control Google’s Australian offices had several security vulnerabilities that would let hackers adjust the heating and cooling controls in their offices. Subsequent research showed that hundreds of businesses across Australia can relate – they have similar vulnerabilities in their building control systems as well.
If these vulnerabilities sound familiar, it’s because they’ve plagued US critical infrastructure for several years now. Here’s our recent take on the topic in AOL Energy.
The problem that Google and the thousands of 
other businesses using industrial control systems and other operational technologies have is that these systems were built to be segregated – they were not built to address the security issues that arise when you connect to a network or the Internet. Simple security protocols like changing the default passwords of these systems have been largely ignored. Unfortunately for the industry, these chickens have come home to roost.
Now, to compound matters, attackers can find these connected and vulnerable systems through simple internet searches through search engines like Shodan. And here is where ultimately, the problem lies – attackers know about these vulnerabilities and continually exploit them in almost every attack. But, the majority of organizations don’t even know they exist! A recent survey we conducted and have been blogging about highlights that most companies are simply not aware of how many privileged accounts they have, or where they exist.
Ask yourself this – do you really want to expose your company to the same vulnerability that history’s most devastating virus exploited to take down an entire country’s nuclear and energy infrastructure? I’m guessing most executives would say no.
Grossly Underestimating the Privileged Account Security Problem Part 2: Defining Privilege with Cyber-Ark CMO, John Worrall
This week, Cyber-Ark revealed the compelling results of our latest research report— the 2013 Privileged Account Security & Compliance Survey.As we detailed on our blog yesterday, the survey results have helped guide us through the answer to a perplexing question: If privileged accounts continue to emerge as the primary target for advanced enterprise attacks, why aren’t organizations doing everything they can to stop them?
The answer, we found, lies in such findings as this one—which points to a gross underestimation of the extent of the “privileged problem”: 86 percent of respondents from large enterprises (5000+ employees) stated they either didn’t know how many accounts they had or that they had no more than 1 per employee. The problem of course, is that this means that at least 2 out of every 3 privileged accounts in these organizations are either unknown or unmanaged.
Given the obvious ambiguity surrounding privileged accounts, we sat down with our CMO, John Worrall, to get his take on the survey results. To begin, we decided to have John help us take a step back and answer a question that many organizations, after reading the survey results, were probably asking themselves: “What is a privileged account?” Take it away John:
We also asked John to break the survey down for us a bit further. Here, John highlights some of the pretty compelling risk awareness numbers: Over 25% of survey respondents underestimated the number of privileged accounts that exist throughout their organization by at least a multiple of 80.
John’s definition of privileged accounts, and his clarification about their existence in every server, networked device, application, operating system and any device with a microprocessor, is critically important. As we found in the survey, 37 percent of respondents did NOT believe that each part of their enterprise IT infrastructure was comprised of privileged accounts. For the 63 percent who did believe this to be true—which it is—we salute you. For the others, please read the full report, and let John and the Cyber-Ark team know how we can help rectify this glaring uncertainty before the next advanced cyber attack hits.
Grossly Underestimating the Privileged Account Security Problem
If you read this blog, you’ve seen posts about privileged accounts being the primary target for advanced enterprise cyber-attacks. We’ve issued press releases, written blog posts, and spoken to the media about privileged accounts being exploited to perpetrate some of the most devastating cyber-attacks in recent memory. We’re not the only ones calling this out – just check out the latest Mandiant or Verizon security reports. This leads to the question: if everyone knows that attackers are targeting privileged accounts, why does this keep happening and why aren’t businesses doing more to protect these accounts?
We have a few ideas – but we wanted to get to the bottom of this by asking security and IT professionals on the front line their thoughts on the topic. At a series of IT security conferences in the US and Europe, we conducted the 2013 Privileged Account Security & Compliance Survey, asking 236 security professionals and C-level execs about their privileged account security practices.
We’ll break down all the results in subsequent postings (and you can download the entire survey here ), but we want to address the question asked above – if attackers are targeting privileged accounts, why aren’t organizations protecting them better? The answer isn’t shocking unfortunately – companies simply don’t know how pervasive privileged accounts are within their own organization.
When asked to estimate the number of privileged accounts in their organization, 86 percent of respondents from large enterprises (5000+ employees) stated they either didn’t know how many accounts they had, or that they had no more than 1 per employee.
Even if you exclude the “I don’t know” responses, here’s why this is a gross underestimation. Based on our internal research across more than a thousand customer deployments, we’ve conservatively determined that the number of privileged accounts in an organization is typically 3 to 4 times the number of employees. So if you have a 5,000 person company, that means you have, conservatively, more than 15,000 – 20,000 privileged accounts.
That sounds like a lot – because it is. Here’s why the number is so high. Privileged accounts were typically only thought of as the powerful IT administrator or superuser accounts – but the notion of privileged accounts has expanded to include default and hardcoded passwords, application backdoors, and more. These access points exist in almost any device with a microprocessor and each one represents a vulnerability for an organization.
Attackers know these weak spots exist and can often find these default credentials through a simple Internet search. Like, for instance, the researcher who created a massive Botnet army out of 420,000 embedded devices that were using default credentials. Or the thousands of critical infrastructure devices that were protected only by default passwords and were easily found through the Shodan search engine.
This is why we launched Cyber-Ark DNA – to help organizations identify these vulnerabilities by scanning and analyzing privileged accounts across their networks. The problem will never be fixed until we first understand and accept the scope of the challenge we face.
Grab your copy of the survey for a deeper dive into what we found.
Privileged Access Is Everywhere! Even in Your Glasses.
Cyber-Ark has talked a lot over the years about how pervasive privileged accounts are, and how powerful privileged access can be. Case in point, Google Glass.
Jay Freeman, a technology consultant was able to gain root level privileges in Google Glass. It provides an excellent example of the power an individual has once they gain access to root level privileges.
According to Jay, as reported by Help Net Security:
“Once the attacker has root on your Glass, they have much more power than if they had access to your phone or even your computer: they have control over a camera and a microphone that are attached to your head. A bugged Glass doesn’t just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do,” he writes. “The only thing it doesn’t know are your thoughts.”
While there is no “privileged account” in this situation, it is a great example of the how powerful privileged access can be. Keep this in mind as you think about how you are controlling and monitoring privileged account use in your organization. Once an attacker has access to root or admin privileges in your IT infrastructure, they can do serious damage and are very difficult to detect. And privileged access is available throughout your company’s IT infrastructure, your home and even in your eye wear.
Privileged Accounts: So Easy a Kid Could Hack Them.
Phishing. It’s a problem; we can all agree on that. Normally we’re talking about APTs in relation to this: really sophisticated long-term attacks that enter at one seemingly unrelated vector only to work their way up the chain of command to get at the heart of your most important data. Frequently APTs use phishing, malware, and social engineering to accomplish their goal of reaching those all-important admin names and passwords, in the following instance it was just one of those vectors.
Some middle school students in Alaska actually phished for administrator privileges. The students used the credentials to obtain access and to control fellow classmates’ PCs. Why the accounts weren’t locked down is a mystery, but I hope people can take a professional lesson from this. Secure your privileged accounts – make it a priority. It’s so easy to get phished, a kid can do it.
If you need to get a handle on how many privileged accounts you currently have and where they exist, you can get a free risk assessment with Cyber-Ark DNA.
AP Hack & Social Media Accounts – Another Great Example of the Danger of Shared, “Privileged” Accounts
As this week’s attack on the Associated Press’ Twitter admin account shows, unprotected and unmonitored shared privileged accounts can literally move markets. One simple Tweet, sent by an unauthorized person, sent the Dow Jones Industrial Average down by 143 points in a matter of minutes.
Privileged accounts, those all-powerful credentials that allow cloud, application and systems administrators to do their job, need to be considered as critical vulnerabilities that must be managed.
While most of the press coverage about the AP/Twitter attack has focused on the power of social media to move markets, we should also be looking at the risk inherent in a single, shared administrative account that allowed the attacker to post the Tweet in the first place.
The power of these accounts, and frequency of their use in major cyber-attacks, is outlined in CyberSheath’s recently released APT Privileged Account Exploitation research report.
Worried About Your Next Audit? Advanced Threats? Get to Know Your Privileged Accounts
In Biology, DNA encodes the genetic instructions used in the development and functioning of all known living organisms. DNA is found in every living cell and is the foundation for control over the organism.
The same could be said about privileged and administrative accounts in the enterprise. These powerful accounts are at the root of almost every enterprise function and exist throughout the IT infrastructure. These accounts are found on desktops, laptops, databases, applications, network devices, and throughout cloud deployments.
Organizations want to manage these powerful accounts in order to minimize the associated risk of leaving them unattended constituting critical points of attack on the organization. However, often organizations are not aware just how many privileged accounts they have or where they exist. Since this information is scattered across the organization there is a real challenge to attain a true picture as to the status of privileged accounts.
This is why Cyber-Ark recently introduced Cyber-Ark DNA™ (Discovery & Audit) – the industry’s first stand alone solution that rapidly locates all privileged, shared and generic accounts without having to install anything on target machines.
Identifying privileged accounts has traditionally been a manual process – taking hundreds of hours of time from IT and creating a long and complex audit process. Given the number and variety of privileged accounts, identifying these accounts manually and gaining an accurate picture when they were last changed or used, has been impossible. Cyber-Ark DNA is the Watson/Crick of the Privileged Account Genome – enabling organizations to expose the magnitude of the privileged account security risk within their organization and get accurate insight into the compliance status of these accounts in preparation for the next audit.
Identifying the Privileged Pathway
Cyber-Ark is currently offering businesses the opportunity to use Cyber-Ark DNA for a free self-assessment to discover where their privileged accounts – and risk – exist.
One customer, who wished to remain anonymous, recently used Cyber-Ark DNA and made some startling discoveries. The company was looking for a solution to manage privileged domain accounts. Cyber-Ark DNA was run on about 100 servers. This included servers that were part of the company’s effort to outsource some IT functions.
Cyber-Ark DNA discovered two things across these servers:
- Some of the servers scanned had unmanaged admin accounts created by the IT outsourcer and had not been changed for more than 200 days, despite being used recently which presented a tremendous security risk;
- Employees who had left the company created personal admin accounts which was a substantial audit finding
This discovery led to significant policy changes for the organization and put the management of local admins on a much higher priority level.
Why is this important? Privileged accounts are increasingly being used as high value attack points in almost every advanced attack, and were the root cause of breaches such as Saudi Aramco, Stuxnet, Red October, Subway Restaurants, Global Payments, the Utah and South Carolina breaches, and the U.S. Department of Energy among others.
Every privileged account is a potential attack point. Unmanaged and unprotected privileged accounts are a white flag to cyber-attackers that indicates your intellectual property and sensitive data is open for business.
Why the continued confidence in perimeter defense?
“A determined attacker can easily slide through your perimeter defenses—we need a new approach.”
I hear that sentence a lot these days. In fact, I’ve been hearing it off and on for close to ten years now. Driven by growth in the mobile workforce and expansion of outsourced business partnerships, the cry, “perimeter security is dead…we need a new model,” continues to gain in popularity. Yet in spite of all this talk, out of the $32B security products market last year, (my estimate, but it’s close enough for this discussion), the vast majority of security funding is still spent on perimeter defense. Investment in actual data protection, monitoring and forensics tools, however, pales in comparison.
This past week, with the news cycle instigated by Mandiant’s APT1 report, the focus has again fixated on perimeter security and how organizations should prevent the initial breach.. For example, Network World took email vendors to task for not doing enough to prevent phishing, while on NPR’s All Things Considered, the infatuation with perimeter security was so overt that the only questions on tactics directed to Mandiant CEO Kevin Mandia were those that focused on how an attacker could be so successful merely by spear-phishing.
If you read through the Mandiant report, however, you’ll notice that in addition to phishing, it also covers other critical components of a successful attack. It’s a worthwhile read on backdoors, covert communications, privilege escalation, internal reconnaissance, lateral movement and maintaining presence.
Ultimately, phishing attacks are only the beginning of an advanced threat attack. Think of the home security analogy. A burglar may have gotten in your front door, but he hasn’t stolen anything yet. He still needs to search the house to find where you hid the silver and jewelry. He needs to pick the lock on the closet or crack the wall safe. Then he needs to collect all of the loot and head out the backdoor.
This is why I firmly believe the initial quote at the top of this post. Just like you would do by storing valuables in a safe at your own home, you should assume that there are already attackers inside your network. After all, a determined attacker will get in. Every time. But if you are proactive, and take an inside out approach to your organization’s security, you CAN lockdown the (privileged) pathways to the most sensitive information—which effectively disrupts the cyber attack.
But you need to take that approach. So what’s your plan?