We’ve all seen the headlines. A major brand-name company we trust was hacked—customer data was exposed, the brand’s reputation is damaged and insult-to-injury money was lost—and we let out a sigh of relief that it wasn’t the company we work for … this time. But how long can we dodge the breach bullet? Are we taking the correct actions to avoid being the next headline? And, how can we reduce our risk without breaking the bank?
So how is it done? Bad actors typically gain access to corporate systems (the network or a specific application) by hacking legitimate credentials that they have gained nefariously. This could be figuring out someone’s password through social engineering or phishing, or could be finding a dormant account (tied to an ex-employee) and gaining access that way. Whichever method they use, the bad-actor will engage in a series of lateral movements and rights escalation activities to gain the “crown jewels” of access they desire: the all-powerful, anonymous administrative account. Then all bets are off.
The Danger of the Dormant Account
Most of us have at one time switched jobs or change roles within our existing company and then find that days, weeks or even months later we still had access to systems from the previous job/role. I had a colleague that reported maintaining access to systems at a previous employer a full five years after he left. A few years back, a major security incident originated from a delay between the firing of an IT contractor and the termination of his administrative accounts on the company’s systems.
Recent research indicated that this problem is much more widespread than most of us would like to admit. In a survey commissioned by One Identity of more than 900 IT security professionals worldwide, 96 percent know that dormant accounts are a problem, but only 19 percent have tools in place to help find them. Additionally, 84 percent admit to taking a month or more to discover dormant accounts and 64 percent are not completely confident that they’ve completely deactivated former employee accounts. It’s a recipe for a security disaster. No matter what efforts go into protecting against phishing and social engineering backdoors, if dormant accounts remain available, the risk is still too high.
If finding and eliminating dormant accounts will go a long way to removing risk, why isn’t it done more? The problem comes down to a re-imaging of how we deal with provisioning and deprovisioning. Some useful tips include:
- Place the line-of-business leaders in charge. They are, after all, the ones who know what is and is not appropriate and have the most to lose if it isn’t done right.
- Avoid pawning account authorization management off on IT. When IT is tasked with the removal of employee rights when they are no longer needed, nothing happens without someone (the line of business) initiating the process and notifying IT of all the rights that must be removed—something the line of business should be responsible for but rarely has information sufficient to do effectively.
- Automate and unify processes. When a single action initiated by an authoritative data source (such as an HR system) fully sets up a user’s rights and fully terminates those rights when they are no longer needed, the dormant account problem quickly becomes the exception, not the rule.
This utopian approach to requesting, assigning, managing, and terminating user rights is achievable, although it generally takes a top-to-bottom shift from traditional, IT-centered approaches to a more business-focused strategy. It’s vital to ensure that the underlying technologies must be able to support the shift. In other words, the legacy tactics of provisioning and deprovisioning by email, phone call, spreadsheet and work-ticket simply does not cut it anymore.
The most effective way to minimize the impact of bad actors is to remove the access to the administrative accounts they covet. Assuming that the bad guys will get in somehow, nothing will discourage them more than making it impossible for them to gain access to what they want. This is a principle called privileged access management and can be fairly easily implemented (in conjunction with effective provisioning/deprovisioning).
The same research that revealed the challenges of dormant accounts also provided some useful insight into the need for effective privileged access management. Revealing that only 14 percent of security professionals use tools designed to manage the distribution and life cycle of administrative access credentials. More than half of respondents report an inability to monitor all of the activity performed with administrative access and 88 percent admit to facing challenges when it comes to effectively managing privileged passwords. Perhaps the most alarming (and the best news for bad actors) is that 86 percent do not change the administrative password after each use (the root of the Federal National Mortgage Association’s problem) and 40 percent still use the default admin password that comes with systems. You might as well invite the bad guys in if you do this.
Key strategies to remediate these problems include:
- Never use the default password – At a minimum, change it when you install or update the system.
- Quit sharing passwords – The root of many problems is the fact that high numbers of administrators share the passwords necessary to do their jobs. This removes individual accountability and opens the door to former employees still knowing the credentials necessary to take bad actions.
- Change the admin password after each use – The same “vaulting” technology that stores and distributes the passwords can also automatically change them after each use.
- Audit administrator activity – Just controlling access via password management goes a long way to removing risk, but it is not complete without the ability to audit the privileged session, both from a preventative and forensic standpoint.
- Delegate – Most administrative activity required for day-to-day operations is not the dangerous type that bad actors crave, however these innocent actions require the same permissions as the bad stuff. Technologies exist to enforce a “least privilege” access model where individual administrators are issued just enough permission to do their daily jobs, but not enough to do damage. If they need additional permissions they can be checked out from the vault and audited for safety.
We live in the unfortunate world that has shifted from “will I be hacked?” to “when will I be hacked?” But there is hope. A dual strategy of closing one of the easy front doors—dormant accounts—and removing the highly-dangerous backdoor—unchecked privileged account access—goes a long way to not only making you an unattractive target but also minimizing the damage if and when an incident occurs.