Just 41% of privileged accounts assigned to permanent employees
Threats / Just 41% of privileged accounts assigned to permanent employees, finds study
17 May 2018
Earlier this year, the Investigatory Powers Commissioner began investigating allegations that GCHQ had passed on privileged access keys for sensitive databases to external IT contractors to not only access documents related to the organisation’s legal, commercial, human resources, or financial dealings, but also data that had been obtained by GCHQ using its surveillance capabilities. Such data could include personally identifiable information of millions of citizens.
The Investigatory Powers Commissioner then told Computer Weekly that it would investigate allegations that external contractors “could misuse their trusted status to access databases containing intercepted telephone, internet and email records of individuals, or other highly sensitive intelligence records”.
Just 41% of privileged access keys given to employees
According to a new study by Balabit, a provider of Privileged Access Management and Log Management solutions, the practice of sharing privileged access keys with external contractors and third-party vendors is quite common across Europe and in the United States.
In its new report titled “IT Out of Control”, the firm noted that while the number of privileged accounts at businesses are growing day-by-day, permanent employees are assigned just two out of five such accounts and the rest are given to contractors, vendors and third parties.
Out of 400 IT security professionals from the UK, France, Germany and the United States who were surveyed by Balabit, almost half (48%) said they could account for privileged access owned by permanent employees, while 44 percent of them could account for privileged access given to third party vendors. What this means is that a majority of them cannot account for how privileged access is being used by employees or external vendors.
While 67 percent of those surveyed told Balabit that former employees could retain credentials and can access their old organization’s network, 58 percent said their organisations must take security threats related to privileged accounts more seriously.
Why shouldn’t privileged access be given to third parties?
Joseph Carson, chief security scientist at privileged access management company Thycotic, told TEISS earlier this year that it is in effect a ‘game over’ scenario for businesses as soon as privileged accounts get hacked. Privileged accounts are essentially root-based account, or ones that can set up more accounts and a breach there can lead to ‘catastrophic’ consequences for businesses because once access has been obtained, malicious actors can then go on to create and access accounts, create logs and steal information.
“Not protecting privilege accounts exposes organisations to compliance failure as well as data breaches. The difference is that when you compromise a non-privilege account, it allows the cyber criminal to use just one account- emails from one person and contacts of that one person. But with a privilege account, it is a major incident at that point. Organisations can be attacked thousands of times but breached probably just 100 times and it will be down to what kind of account got breached,” he said.
According to Balabit, there is an urgent need for company boards to recognize the risks of privileged account misuse as such accounts have led to increased risks for organisations. With the number of privileged accounts growing at a brisk pace, organisations are slowly losing control over how such accounts are being accessed.
“Privileged Identity Theft is a widespread technique in some of the largest data breaches and cyber-attacks. A wide range of organizations have fallen victim to sophisticated, well-resourced cyber criminals but often these attacks are easy to carry out, through the use of social engineering techniques such as a simple phishing email,” said Csaba Krasznay, Security Evangelist at Balabit.
“Measures exist to mitigate the risks of the attack. Relatively straightforward process improvements combined with the correct technologies such as session management and account analytics can help detect compromised privileged accounts and stop attackers before they are able to inflict damage on organizations,” he added.
How to enhance visibility over privileged access accounts?
According to Joseph Carson, businesses must follow the following checklist to ensure their data is protected against privilege account breaches:
- Try to understand from the outset, how important each of the privileged accounts are- how they are used and their impact. Run a proper risk assessment on them. Some organisations are very dependant on their privileged accounts for everything they do. So the account tied to the wifi access within the office and the admin account linked to the salesforce.com account should be given different weightage. One is obviously more important than the other and so the business should be more sensitive about who has access to which one.
- Categorising privilege accounts. We have found that many businesses fail to proactively discover privilege accounts. If it doesn’t discover them, there is a real risk of the business failing its audit. Often, the case is that businesses don’t even know the number of privileged accounts they have, and this is just the ones that have the ability to create other accounts. During audits, a business will usually find that it has 5 times more priviledged accounts than it had audited for, initially!
- Apply best practice security consoles. Auditing, 2-factor and multi-factor authentication are key to protecting privileged accounts and then making doubly sure they are secure. So businesses need to make sure that it is not just one password that gets you in. Additional controls need to be in place and putting privilege account management into a privilege account vault that will manage, rotate and secure them, is the easiest way.