When it comes to cyber security, channel partners should consult their clients to first and foremost lock down privileged accounts: often those with administrative rights also have insufficient security, opening the door to cyber-attacks via advanced persistent threat (APT) attacks.
“Privileged accounts have typically been viewed as the powerful IT administrator or super-user accounts,” said John Worrall, CMO at Cyber-Ark, sponsor of a study which found that the compromise of privileged accounts was to blame in a full 100 percent of recent advanced attacks.. “This old notion ignores the reality that the use of privileged accounts has expanded significantly throughout the enterprise. Privileged accounts also include default and hardcoded passwords, as well as application backdoors. These accounts exist everywhere – in servers, network devices, applications and more. Security needs to start with identifying and securing every one of these powerful accounts and automating the controls around them. Cyber-attackers know these weak spots exist and will do anything to gain access. “
The report also found that attacks that use privileged accounts are more difficult to detect, shut down and remediate. They can delete logs to make forensic analysis more difficult, and can be used to install new malware to evade detection and open more doors. In addition, privileged account use appears as normal traffic flow and is not detected by traditional means, so that finding illicit privileged account use among legitimate processes is like finding a needle in a stack of needles.
“The theft and exploitation of privileged accounts is a critical and devastating part of the APT attack cycle,” said Eric Noonan, CEO at CyberSheath, which carried out the study. “These accounts provide wide-ranging access in the enterprise and enable attackers to easily simulate normal business traffic, making infiltrations extremely difficult to detect.”
Locking down privileged accounts and preventing their use in APTs moves up the kill chain and helps thwart attack progression at the delivery stage, as opposed to the command and control stage. Some best practices for preventing APT privileged account compromises include isolating, monitoring and controlling every access point to all critical business systems, changing default passwords on all servers, databases, applications and network devices, using multifactor authentication and removing local administrator rights from the majority of users.
“Our examination showed that almost every major cyber-incident in the past couple of years involved privileged accounts,” said Noonan. “The protection, accountability and management of privileged accounts are the very first steps organizations need to take to stop targeted attacks.”