Businesses need a layer that provides security for privileged access accounts – the “keys to the kingdom,” says David Higgins, professional services manager, UK and Ireland, CyberArk.
“In most high-profile attacks, all roads into a network lead to privileged accounts, Higgins told the European Information Security Summit 2015 in London.

“No matter who is conducting the attack, no matter their motive and regardless of where they are coming from, all attackers will seek to gain control of privileged accounts to escalate their privileges and expand their access in the target network,” said Higgins.
Improving the security around these accounts is a good way to reduce the impact of network breaches once they occur, but few organisations know how many privileged accounts they have.
Another challenge lies in the fact that there are many privileged accounts in organisations – sometimes up to three times as many as normal user accounts – and typically many of these are not documented.
Beyond the obvious system administrator accounts, there are many more hidden privileged access accounts associated with applications, service providers, selected business users and social media account managers.
“Once inside a network, attackers typically look for privileged account credentials, and use them to access other parts of the network to find other credentials, until they are able to carry out their goal,” said Higgins.

Case study: Ukraine elections
In an attack aimed at discrediting a Ukrainian governor during elections, for example, the attackers found and exploited a website vulnerability to get on to the webserver and locate a Windows operating system store of password hashes.
“This enabled them to use a simple and commonly used pass-the-hash technique to access other systems where these passwords were used, bypassing all security controls by appearing to be an insider with valid credentials,” said Higgins.
In one location, the attackers found a map of the network architecture which enabled them to locate a repository of user names and passwords, which they used to locate the data they were seeking.
“The attack was simply a series of cycles of finding credentials and using those credentials to find more credentials, increasingly their ability to move around with each cycle,” said Higgins.
“With the data they were seeking located, it was then a simple matter to copy that data out of the system and publish it online.”

How to counter an attack
Higgins said this type of activity can be limited in a four-step process that starts with discovering all the privileged accounts in an organisation, which can be done using free, online tools.
“CyberArk provides one such free tool that will scan IT environments and identify the number of privileged access accounts, it will flag up accounts with poor security, and it will map potential vulnerabilities to attack techniques such as pass-the-hash,” he said.
The next step is protecting and managing those privileged accounts, which includes ensuring passwords are changed on a regular basis.
Next, organisations need to control, isolate and monitor access to all servers and databases. “Users should be allowed access only if they have valid reasons to do so,” said Higgins. “This can be enforced with strong credential access workflows and monitoring all privileged account activity.” 
Finally, he said that by using a real-time privileged account intelligence system, organisations can detect and respond to attacks while they are still in progress.
“Once a breach has occurred, analytics can quickly identify anomalous behavior, enabling security teams to focus on these instances quickly and shut them down,” said Higgins.

Email Alerts
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Read More

Related content from ComputerWeekly.com

RELATED CONTENT FROM THE TECHTARGET NETWORK

Leave a Reply