The theft, misuse and exploitation of privileged accounts is becoming an increasingly key tactic in each phase of an advanced persistent threat (APT) attack cycle, according to security firm Cyber-Ark.
“Many high-profile breaches, including those at RSA and the US Chamber of Commerce, have involved the exploitation of privileged or administrator accounts,” said Udi Mokady, chief executive of Cyber-Ark.
“Once the security perimeter is breached through phishing or other similar simple techniques, attackers typically take over privileged accounts to move around the company network,” he told Computer Weekly.
These accounts are the most sought after because they enable attackers to erase their digital footprints, install back doors, erase logs, and gain access to highly sensitive information without being detected.
“Once inside, privileged accounts provide a golden path to accessing data and remaining undetected for long periods of time,” said Mokady.
The Mandiant report in February into Chinese cyber attacks against 141 organisations around the world showed that 90% involved the takeover of privileged accounts.
“This provides a strong indicator that protecting these accounts needs to be about more than meeting minimum compliance standards; it has become a critical way to protect data assets,” said Mokady.
“We need to assume that the attackers are inside our networks right now and proceed accordingly by blocking the pathways they’re travelling to access and steal our sensitive data,” he said.
Read more about privileged accounts
- Stopping privilege creep: Limiting user privileges with access reviews
- Privileged user management a must for DBAs
- Privileged account policy: Securely managing privileged accounts
- Privileged accounts are hacker sweet spot
- Privilege access management: User account provisioning best practices
- Security Think Tank: Least privilege is key to blocking IP theft
- Intel CPU hardware vulnerable to a privilege escalation attack
- Windows security case study: Controlling Windows 7 user privileges
- Exchange Server administration policy: Managing privileged user access
However, relatively few organisations understand the importance of hardening these accounts, mainly because they greatly underestimate the number and power of these accounts, he said.
The number of privileged accounts in an organisation is typically three to four times greater than the number of employees, as each firewall, database and virtual machine will have an admin account.
One of the biggest challenges for organisations is to find all the privileged accounts that exist in their IT infrastructure.
“Only once an organisation has a sense of the scope of the problem can it begin setting policies and enforcing them to provide secure access control,” said Mokady.
The third important element to taking a more proactive approach to the problem is to ensure constant monitoring to track who accesses what assets and for what reason.
“In this way, firms can adopt a least-privilege approach to ensure employees can access only what they need for their job, and to more easily identify rogue employees and network intrusions,” said Mokady.
As awareness of this problem is growing, so is the adoption of access control and monitoring systems, he said, with the financial, energy, public and retail sectors typically leading the way in most countries.
Organisations in these sectors are increasingly demanding the capacity to ensure separation of duties, dual approval processes, and two-factor authentication to minimise abuse of privileged accounts.