News

Privileged accounts key to most APT attacks, says Cyber-Ark

Warwick Ashford

The theft, misuse and exploitation of privileged accounts is becoming an increasingly key tactic in each phase of an advanced persistent threat (APT) attack cycle, according to security firm Cyber-Ark.

“Many high-profile breaches, including those at RSA and the US Chamber of Commerce, have involved the exploitation of privileged or administrator accounts,” said Udi Mokady, chief executive of Cyber-Ark.

“Once the security perimeter is breached through phishing or other similar simple techniques, attackers typically take over privileged accounts to move around the company network,” he told Computer Weekly.

These accounts are the most sought after because they enable attackers to erase their digital footprints, install back doors, erase logs, and gain access to highly sensitive information without being detected.

“Once inside, privileged accounts provide a golden path to accessing data and remaining undetected for long periods of time,” said Mokady.

The Mandiant report in February into Chinese cyber attacks against 141 organisations around the world showed that 90% involved the takeover of privileged accounts.

“This provides a strong indicator that protecting these accounts needs to be about more than meeting minimum compliance standards; it has become a critical way to protect data assets,” said Mokady.

“We need to assume that the attackers are inside our networks right now and proceed accordingly by blocking the pathways they’re travelling to access and steal our sensitive data,” he said.

However, relatively few organisations understand the importance of hardening these accounts, mainly because they greatly underestimate the number and power of these accounts, he said.

The number of privileged accounts in an organisation is typically three to four times greater than the number of employees, as each firewall, database and virtual machine will have an admin account.

One of the biggest challenges for organisations is to find all the privileged accounts that exist in their IT infrastructure.

“Only once an organisation has a sense of the scope of the problem can it begin setting policies and enforcing them to provide secure access control,” said Mokady.

The third important element to taking a more proactive approach to the problem is to ensure constant monitoring to track who accesses what assets and for what reason.

“In this way, firms can adopt a least-privilege approach to ensure employees can access only what they need for their job, and to more easily identify rogue employees and network intrusions,” said Mokady.

As awareness of this problem is growing, so is the adoption of access control and monitoring systems, he said, with the financial, energy, public and retail sectors typically leading the way in most countries.

Organisations in these sectors are increasingly demanding the capacity to ensure separation of duties, dual approval processes, and two-factor authentication to minimise abuse of privileged accounts.


Image: Thinkstock


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy