The top 8 ways that privileged accounts are exploited

Failure to properly monitor and update privileged access is a key vulnerability and Chris Stoneff highlights the leading weaknesses.

The top 8 ways that privileged accounts are exploited
The top 8 ways that privileged accounts are exploited

In the year since his first revelations, the name of Edward Snowden has been appearing in the news on an almost daily basis. He has appeared in articles about the US government, the National Security Agency and the CIA and reports have even suggested that he has received death threats from senior US officials.

So, what exactly did Mr Snowden do to become the USA's public enemy number one?

Basically Edward Snowden is the world's most famous rogue employee. Snowden is a former NSA contractor who stole highly secretive information and disclosed it to the media, and the ramifications of his actions seem to have no end.

Obviously the case of Edward Snowden is very extreme but employees going rogue is not all that uncommon within organisations. This means that companies need to ensure all the ‘keys into their IT kingdom' are secure and all passwords are kept completely up-to-date.

Large organisations typically have thousands of privileged accounts, which are often left unmanaged. Rogue insiders, former employees, criminal hackers and sophisticated state-sponsored attackers can exploit these unmanaged privileged accounts to anonymously access and extract an organisation's most critical data using these common attack vectors:

        I.            Shared accounts – Looking to cut corners and make things simpler, systems administrators often re-use the same password across multiple systems and among multiple administrators. While this may be convenient for the IT staff, if a hacker or malicious insider can get hold of this common, shared password, he's just gained access to systems throughout the network.

      II.            Storing passwords on a spreadsheet – Similar to shared accounts, one seemingly easy way for an IT team to keep up with all the administrator passwords they need for their jobs is to store them on a spreadsheet accessible to the entire IT group. It seems easy, but how can you track who is accessing these critical passwords and what they're using them for?

    III.            Don't touch it and it won't break – Large organisations have many specialised passwords called service or process account passwords. These passwords are used in services, tasks, COM applications, IIS, SharePoint and databases. They're difficult to find and track, so these passwords often remain unchanged. But even if the IT staff does try to change them, the change can potentially result in system crashes and downtime in unexpected ways. So, why bother, is the common attitude – at least until one of these old, static passwords falls into the wrong hands.

    IV.            Social exploits – A seemingly innocuous email might actually be the finely crafted work of a dangerous hacker. A privileged user inside a corporate network who clicks the wrong link might unknowingly be giving a hacker elevated rights into the network. Similarly, a clever hacker might be able to simply convince an unsuspecting user into revealing his password or install a flash drive or other device with harmful payload.

      V.            Brute force – This old school model of hacking involves tools commonly available on the Internet called “rainbow tables” that let hackers quickly break weak password and gain access to the network.

    VI.            Application exploits - Organisations that fail to stay up-to-date with required security patches to their Internet-facing applications are in for a rough ride, with published and unpublished exploits to Web services software, database platforms, and a host of other applications poised to give hackers control of your data.

  VII.            Former IT admins and contractors – Former employers and contractors often leave their jobs with their privileged account passwords remaining active – even long after the termination of their employment. So just because someone is no longer employed doesn't mean he can't still access his former systems and wreak havoc.  

VIII.            Default passwords – Many hardware devices, applications and appliances - like firewalls and UTMs - come pre-configured with default passwords that are publicly known. If these default passwords aren't changed, they're an easy access point for a hacker.

Once access is obtained
Once a hacker accesses a password through one of these internal or external attack vectors, the intruder can leapfrog from system to system, compromising privileged accounts throughout the organisation until the IT infrastructure is mapped and its most valued information can be extracted at will.

Contributed by Chris Stoneff, director of professional services at Lieberman Software.

close

Next Article in Opinion