Every day of every week successful attacks have exploited hijacked privileged credentials. Attackers obtain domain level Windows admin credentials by exploiting common vulnerabilities found in most enterprise IT environments. These attack techniques are easy to deploy with the proliferation of toolkits for creating malware. Attackers routinely achieve complete network takeover and execute massive data exfiltration. According to the FireEye M-Trends 2016 report, targeting highly privileged accounts and extracting credentials from memory has become “almost trivial” in Windows environments.
Given the increasing awareness of the role of privileged accounts in these attacks, protecting privileged credentials is becoming a top priority at many organizations today. The Center for Internet Security (CIS) acknowledges this fact by including both Continuous Vulnerability Assessment and Remediation (CIS Control 4) and Controlled Use of Administrative Privileges (CIS Control 5) in the top 5 list of things to do to “Eliminate the vast majority of your organization’s vulnerabilities.”
This thinking has been endorsed by the U.S. Government in the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a recommended implementation approach for the Framework, European Telecommunications Standards Institute (ETSI), National Governors Association (NGA) and the U.K.’s Centre for the Protection of National Infrastructure (CPNI). The data is in and highly knowledgeable practitioners from across every sector and aspect of the business agree that these twenty actions (the CIS controls) stop the vast majority of the attacks. So, if you want to stop the bleeding start addressing Privileged Account Management now.
Addressing this risk doesn’t have to take long and in fact, with a sufficient sense of urgency, material risk reduction can be accomplished in a matter of weeks. Anyone who has been on the operational response side of a significant data breach can attest to the incredible progress that is usually made when, post-breach, Privileged Account Management becomes an executive priority.
This blog offers you an approach to make Privileged Account Management an executive priority before the breach.
Get the Data: How Vulnerable Is Your Organization?
To make the case for comprehensive Privileged Account Management look at common practices that have become common vulnerabilities and get the data specific to your organization. Security professionals know that they need to minimize administrative privileges and only use administrative accounts when they are required in conjunction with auditing of the use of administrative privileged functions and monitoring for anomalous behavior.
Given these generally accepted principles, if your organization is doing any of the following you probably have a significant opportunity to reduce risk:
- Providing end-users with local admin rights on their workstations
- Allowing IT helpdesk staff to use domain admin accounts for troubleshooting workstations and servers
- Giving IT admins access to domain admin accounts
- Building workstations with cloned images resulting in them having the same local administrator password
- Not rotating administrator passwords more frequently than every 30-60 days
- Using AD Group Policy to rotate one administrative password for all machines
- Allowing accounts used by applications to have domain administrator privileges
Most likely your organization is doing one or all of the above and might not even have a complete understanding of how prolific the problem is.
At this point you might be thinking “Thanks for telling me what I already know, I need to know what to do.” Fair point. Start by using automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized.
There are many tools available to do this kind of scanning and CyberSheath recommends CYBERARK DNA™, a no-cost tool that will:
- Discover privileged accounts on-premises, in the cloud, and in DevOps environments
- Assess privileged account security risks
- Identify accounts with local administrator rights
- Identify machines vulnerable to credential theft attacks
CYBERARK DNA™ will tell you how vulnerable your organization’s privileged accounts are and give you the detail behind critical questions like:
- On which systems do privileged accounts exist?
- Which accounts have escalated privileges?
- Which machines contain SSH keys, and what trust relationships exist between systems?
- Which machines on the network are vulnerable to credential theft attacks, including credential harvesting, Pass-the-Hash, Overpass-the-Hash, and Golden Ticket?
- Where are embedded and hard-coded credentials stored within applications?
- Who are my most privileged Amazon Web Services (AWS) IAM users and what AWS credentials exist?
- Are there hidden unprotected credentials in my DevOps tools? (such as in Ansible Playbooks, Roles and Tasks)
- Which privileged accounts are not in compliance with company policy? (i.e. password has not been changed in more than 90 days)
Once you have answers to these questions you will have the data that you need to holistically and proactively reduce the risk associated with Privileged Account Management.