Businesses need a layer that provides security for privileged access accounts – the “keys to the kingdom,” says David Higgins, professional services manager, UK and Ireland, CyberArk.
“In most high-profile attacks, all roads into a network lead to privileged accounts, Higgins told the European Information Security Summit 2015 in London.
“No matter who is conducting the attack, no matter their motive and regardless of where they are coming from, all attackers will seek to gain control of privileged accounts to escalate their privileges and expand their access in the target network,” said Higgins.
Improving the security around these accounts is a good way to reduce the impact of network breaches once they occur, but few organisations know how many privileged accounts they have.
Another challenge lies in the fact that there are many privileged accounts in organisations – sometimes up to three times as many as normal user accounts – and typically many of these are not documented.
Beyond the obvious system administrator accounts, there are many more hidden privileged access accounts associated with applications, service providers, selected business users and social media account managers.
“Once inside a network, attackers typically look for privileged account credentials, and use them to access other parts of the network to find other credentials, until they are able to carry out their goal,” said Higgins.
READ MORE ABOUT PRIVILEGED ACCOUNT SECURITY
- Privileged accounts key to most APT attacks, says Cyber-Ark
- Stopping privilege creep: Limiting user privileges with access reviews
- Privileged user management a must for DBAs
- Privileged account policy: Securely managing privileged accounts
- Privileged accounts are hacker sweet spot
Case study: Ukraine elections
In an attack aimed at discrediting a Ukrainian governor during elections, for example, the attackers found and exploited a website vulnerability to get on to the webserver and locate a Windows operating system store of password hashes.
“This enabled them to use a simple and commonly used pass-the-hash technique to access other systems where these passwords were used, bypassing all security controls by appearing to be an insider with valid credentials,” said Higgins.
In one location, the attackers found a map of the network architecture which enabled them to locate a repository of user names and passwords, which they used to locate the data they were seeking.
“The attack was simply a series of cycles of finding credentials and using those credentials to find more credentials, increasingly their ability to move around with each cycle,” said Higgins.
“With the data they were seeking located, it was then a simple matter to copy that data out of the system and publish it online.”
READ MORE ABOUT PRIVILEGED ACCOUNT SECURITY
- Privilege access management: User account provisioning best practices
- Security Think Tank: Least privilege is key to blocking IP theft
- Intel CPU hardware vulnerable to a privilege escalation attack
- Windows security case study: Controlling Windows 7 user privileges
- Exchange Server administration policy: Managing privileged user access
How to counter an attack
Higgins said this type of activity can be limited in a four-step process that starts with discovering all the privileged accounts in an organisation, which can be done using free, online tools.
“CyberArk provides one such free tool that will scan IT environments and identify the number of privileged access accounts, it will flag up accounts with poor security, and it will map potential vulnerabilities to attack techniques such as pass-the-hash,” he said.
The next step is protecting and managing those privileged accounts, which includes ensuring passwords are changed on a regular basis.
Next, organisations need to control, isolate and monitor access to all servers and databases. “Users should be allowed access only if they have valid reasons to do so,” said Higgins. “This can be enforced with strong credential access workflows and monitoring all privileged account activity.”
Finally, he said that by using a real-time privileged account intelligence system, organisations can detect and respond to attacks while they are still in progress.
“Once a breach has occurred, analytics can quickly identify anomalous behavior, enabling security teams to focus on these instances quickly and shut them down,” said Higgins.