A destructive data breach can begin with the compromise of just one privileged account. Criminal hackers and malicious insiders can exploit an unsecured privileged account to gain the persistent, administrative access they need to anonymously extract sensitive data over an extended period of time.
If you can’t find the privileged accounts on your network, you can’t secure them. But just because you may not know where all your privileged accounts exist, doesn’t mean the bad guys can’t locate them. And then leverage these powerful accounts to execute their cyber attacks.
Cyber attackers need privileged account access to carry out their illicit plans. Like installing malware, stealing data or disabling hardware. That’s why privileged account credentials are in such high demand by hackers. In fact, according to Verizon’s 2017 Data Breach Investigations Report, “81% of hacking-related breaches leveraged either stolen and/or weak passwords”.
The Privileged Account Minefield
If it’s that serious of a problem, why not dedicate a few IT resources and lock down all those privileged accounts? Simple enough, right? In theory, yes. That is the idea. But as a real-world IT security initiative? Not so much.
Consider this. A single computer can have privileged accounts in local and domain accounts, in services and scheduled tasks, and in applications like COM+ and DCOM, IIS websites and databases. Now, factor in the many servers, workstations, and devices on a large network. You quickly realize how difficult it is to manually document each privileged account and its interdependencies – and then frequently change each account’s password.
Besides, updating just one password for a privileged account can create service disruptions and system lockouts if processes and services that are dependent on that credential are not concurrently updated.
That’s because service account passwords can be almost impossible to discover and change manually. To accomplish this task, you need service account management. First, you must identify everywhere the service account is in use (discovery). Then you must change the password everywhere it’s referenced (propagation).
The situation becomes even more complex when you factor in turnover in IT staff, new hardware assets, and corporate mergers.
You’re left to navigate a minefield of privileged account vulnerabilities.
Privileged Account Discovery in Depth
The only way to secure your privileged credentials is to automatically:
- make each privileged account password unique and cryptographically complex,
- change privileged credentials after use — to prevent attacks such as pass-the-hash, and
- change the passwords regularly — even as often as every couple hours.
Then, to prevent IT service disruptions when changing privileged passwords, you must propagate password changes to all referenced locations. To do this successfully, you need real-time knowledge of where privileged accounts are in use. Only with automated privileged account management technology can you keep up with these changes, at scale, on a continuous basis.
Learn More About Privileged Account Management
For more information on how you can automatically discover and secure the privileged accounts in your enterprise, download our white paper Privileged Account Auto-Discovery.
If you like this topic, please subscribe to our Cyber Defense Newsletter.
You can also follow us on Twitter.