IT professionals have long grappled with the inherent risks associated with privileged accounts. Whenever credentials that allow other employees to login to servers, routers, and so forth, are compromised, it can have a dire outcome on the rest of the network.
A security firm this week is warning exactly how dire those consequences can be. Virtually no organization is safe as 88 percent of networks are at risk of being compromised via account credential theft and reuse, according to CyberArk, a company that keeps track of privileged account security.
Research from the firm published today claims that 40 percent of Windows hosts could lead to a complete compromise if they were hacked. The firm analyzed data belonging to 51 different networks – small and large – to get an idea of how much free reign some accounts had over others. If an attacker can hack into one account, could they use that access to jump laterally to another account, or series of accounts?
As attackers that used stolen credentials to burrow deeper into networks belonging to both Home Depot and Target helped demonstrate, the answer, is an overwhelming “yes.”
Researchers with the Massachusetts-based firm connected the dots between privileged accounts and their networks and determined that for some networks, if a singular Windows host was compromised, an attacker could gain access to a swathe of resources and data, both directly and indirectly.
The firm identified a metric, “high risk hosts,” as any host that can allow access to more than 80 percent of the networks other credentials. While there was a lot of variability, 40 percent of the 51 organizations it looked at, on average, fell into that “high risk” category.
Assuming an attacker could get the owner of a privileged account to give up their password, either through phishing or social engineering, the firm found that in many situations, they could easily build on that compromise to gain access to most or all of the other Windows hosts on the same network.
“Every Windows network, no matter how large or small, could potentially be compromised by attackers through theft or privileged credentials,” the report reads.
The report, which stems from research carried out by Andrey Dulkin, Sr. Director of Cyber Innovation at the firm, breaks down how vulnerable each cluster of networks it looked at are. By and large, the majority of networks CyberArk looked at, 88 percent, were susceptible to being hacked through privileged credentials.
Only 12 percent of the networks it looked at were what it called “low exposure,” or networks where less than 10 percent of the hosts had a high risk of being compromised.
Once they’re in, CyberArk claims attackers have a serious incentive to bounce back and forth around a server.
In its research the firm found that if an attacker can compromise a server on a mixed server-workstation network, they’re ten times as likely to steal credentials from other machines connected to the same network, than if the attacker was able to compromise just a workstation.
The firm’s report follows up similar research from around the same time last year that found that 80 percent of targeted attacks rely on a privileged account being hacked at some point.
That report cited interviews with officials from Cisco, Mandiant, and RSA Security who reasoned that attacks that stem from privileged accounts are not only faster, but tougher to detect than run of the mill attacks that use malware, or vulnerabilities, to worm their way into systems.
The firm has stressed in the past that companies should not only be aware how many privileged accounts exist on their networks, but have a gameplan for when it comes to mitigating the risk commonly associated with privileged accounts.
While companies can deploy countless defense mechanisms depending on their environment, CyberArk encourages organizations to consider using privileged local accounts instead of privileged domain accounts, implementing one-time passwords, and finding a balance between how it doles out higher privileges across organizations.