Privileged Account Management: How Vulnerable Is Your Organization? Find Out With CYBERARK DNA™

By Eric Noonan • February 28, 2018

Every day of every week successful attacks have exploited hijacked privileged credentials. Attackers obtain domain level Windows admin credentials by exploiting common vulnerabilities found in most enterprise IT environments. These attack techniques are easy to deploy with the proliferation of toolkits for creating malware. Attackers routinely achieve complete network takeover and execute massive data exfiltration. According to the FireEye M-Trends 2016 report, targeting highly privileged accounts and extracting credentials from memory has become “almost trivial” in Windows environments.

Given the increasing awareness of the role of privileged accounts in these attacks, protecting privileged credentials is becoming a top priority at many organizations today.  The Center for Internet Security (CIS) acknowledges this fact by including both Continuous Vulnerability Assessment and Remediation (CIS Control 4) and Controlled Use of Administrative Privileges (CIS Control 5) in the top 5 list of things to do to “Eliminate the vast majority of your organization’s vulnerabilities.”

This thinking has been endorsed by the U.S. Government in the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a recommended implementation approach for the Framework, European Telecommunications Standards Institute (ETSI), National Governors Association (NGA) and the U.K.’s Centre for the Protection of National Infrastructure (CPNI). The data is in and highly knowledgeable practitioners from across every sector and aspect of the business agree that these twenty actions (the CIS controls) stop the vast majority of the attacks. So, if you want to stop the bleeding start addressing Privileged Account Management now.

Addressing this risk doesn’t have to take long and in fact, with a sufficient sense of urgency, material risk reduction can be accomplished in a matter of weeks. Anyone who has been on the operational response side of a significant data breach can attest to the incredible progress that is usually made when, post-breach, Privileged Account Management becomes an executive priority.

This blog offers you an approach to make Privileged Account Management an executive priority before the breach.

Get the Data: How Vulnerable Is Your Organization?

To make the case for comprehensive Privileged Account Management look at common practices that have become common vulnerabilities and get the data specific to your organization. Security professionals know that they need to minimize administrative privileges and only use administrative accounts when they are required in conjunction with auditing of the use of administrative privileged functions and monitoring for anomalous behavior.

Given these generally accepted principles, if your organization is doing any of the following you probably have a significant opportunity to reduce risk:

  • Providing end-users with local admin rights on their workstations
  • Allowing IT helpdesk staff to use domain admin accounts for troubleshooting workstations and servers
  • Giving IT admins access to domain admin accounts
  • Building workstations with cloned images resulting in them having the same local administrator password
  • Not rotating administrator passwords more frequently than every 30-60 days
  • Using AD Group Policy to rotate one administrative password for all machines
  • Allowing accounts used by applications to have domain administrator privileges

Most likely your organization is doing one or all of the above and might not even have a complete understanding of how prolific the problem is.

At this point you might be thinking “Thanks for telling me what I already know, I need to know what to do.” Fair point. Start by using automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized.

There are many tools available to do this kind of scanning and CyberSheath recommends CYBERARK DNA™, a no-cost tool that will:

  • Discover privileged accounts on-premises, in the cloud, and in DevOps environments
  • Assess privileged account security risks
  • Identify accounts with local administrator rights
  • Identify machines vulnerable to credential theft attacks

CYBERARK DNA™ will tell you how vulnerable your organization’s privileged accounts are and give you the detail behind critical questions like:

  • On which systems do privileged accounts exist?
  • Which accounts have escalated privileges?
  • Which machines contain SSH keys, and what trust relationships exist between systems?
  • Which machines on the network are vulnerable to credential theft attacks, including credential harvesting, Pass-the-Hash, Overpass-the-Hash, and Golden Ticket?
  • Where are embedded and hard-coded credentials stored within applications?
  • Who are my most privileged Amazon Web Services (AWS) IAM users and what AWS credentials exist?
  • Are there hidden unprotected credentials in my DevOps tools? (such as in Ansible Playbooks, Roles and Tasks)
  • Which privileged accounts are not in compliance with company policy? (i.e. password has not been changed in more than 90 days)

Once you have answers to these questions you will have the data that you need to holistically and proactively reduce the risk associated with Privileged Account Management.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security