Privileged accounts represent a paradox for IT professionals: While high-level access is required for specific users to complete business-critical tasks and many take pride in earning this level of access, their login credentials make tempting targets for attackers looking to infiltrate corporate networks.
According to Threatpost, which was reporting on a recent CyberArk study, 88 percent of networks are at risk of being compromised through stolen and reused account information. Can companies find a solution that doesn’t impact performance and limits the risk of credential-based attacks?
Rising Concern
As noted by Channel Insider, 61 percent of CyberArk survey respondents said that privileged account takeover “was the most difficult stage of an attack to mitigate” — up a full 15 percent from 2014. Stolen accounts also ranked at the top of companies’ security concerns, with 38 percent listing them ahead of other threats like phishing (27 percent) and malware (23 percent).
Even more worrisome? Despite increasing awareness of the risks associated with privileged accounts, many companies remain overconfident in their ability to detect an attack “within days” of attackers breaching their network.
So what’s the real risk of a hacked admin account? Are the consequences so dire? Short answer: absolutely. The survey found that 40 percent of Windows hosts could lead to “complete compromise” if hacked, and that many of these hosts were “high risk,” meaning they can access more than 80 percent of the networks’ other credentials. If high-level account data is stolen and the theft goes undetected, cybercriminals can often use that information to compromise all Windows hosts on a system, effectively granting them unfettered access.
Risk Factors
If privileged accounts cause such problems for IT professionals, why not simply lock down the system altogether? Pursuing this avenue, however, leads to multiple problems. First is pushback from employees who believe they’ve earned the ability to access corporate data even if it’s not directly related to their work.
In addition, this kind of lockdown causes an IT bottleneck, with users constantly running into password bulwarks and unable to access data they need to complete assigned tasks. And when the role of IT shifts to password gatekeepers, other technology infrastructure suffers for lack of time. Simply put, the hit to performance isn’t worth the effort of eliminating privilege altogether.
A recent Blouin News article, however, suggested that the current model of admin account management — which sees IT and account holders equally responsible for securing access — isn’t working out. Fewer than half of those asked in a recent Dell survey said they logged the use of admin credentials, while just 26 percent of account holders changed their password on a monthly basis. Placing blame is also problematic: CyberArk found that 48 percent of respondents called out poor employee security habits while 29 percent argued that hacks were simply too sophisticated to counter.
The Role of IT Professionals
Some users need high-level access — CISO, security professionals and project managers come to mind — but every account with raised permissions is another potential access point for cybercriminals looking to compromise corporate networks. And with companies overestimating their ability to catch cybercriminals in the act, a new strategy is required — one that builds security from the bottom up rather than trying to secure accounts from the top down.
Ideally, it takes the form of role-based management that ties high-level oversight to high-value access. If IT professionals know when and where these credentials are used, it becomes a much simpler task to detect odd behavior or lock accounts.
Bottom line? It’s not worth playing the blame game or fighting with users to trim down their permissions bit by bit. With almost 90 percent of networks at risk, IT professionals are best served with investment in oversight — what happens on the network must be readily apparent to those tasked with managing IT risk.