Sponsored Content

Three Service Account Secrets Straight from Hackers and Security Pros

A survey of nearly 300 Black Hat conference attendees this year showed strong agreement that service accounts are an attractive target.

Barbara Hoffman, Product Marketing Manager, Thycotic

Nearly 19,000 infosec experts travel from all over the world to attend the annual Black Hat Conference. They come to share, educate and disclose their security research on the latest vulnerabilities and cyberthreats. We here at Thycotic love to be a part of the excitement and information exchange by conducting our own survey.

At this year’s Black Hat Conference, we surveyed nearly 300 attendees regarding the privileged account attack surface. Respondents represent an almost even split of 51% hackers and 49% security professionals. This gives our results a bit of a twist by allowing us to compare key perceptions coming from opposite angles. We found that while quite a few responses were split – both hackers and security pros strongly agree that service accounts are an attractive target because hackers can easily elevate privileges and gain access to sensitive information.

What exactly are service accounts?

Conceptually, the easiest way to think about a service account is as a “non-human” account.  People (humans) require access to networks, computers, files, printers, databases and other assets. Likewise, computer programs need the same access.  So, when software (non-human/machine) is given a user account, that is called a service account.  Service accounts are used in operating systems to execute applications or run programs in the background and are usually created manually or during a software installation.

Why are service accounts so difficult to manage?

Service accounts fly under the radar of IT governance and can have access to critical applications and data. They are extremely time-consuming to discover and control, and are also prone to human error when managed manually. Because of this, we’ve seen almost all medium to large organizations suffer from extreme service account sprawl, perpetuating the unmanaged, uncontrolled expansion of their privileged account attack surface.

Service accounts are basically a ticking time bomb in the privileged account world.  Both the hackers and security professionals we surveyed strongly agree that service accounts are an attractive target because hackers can easily elevate privileges and gain access to sensitive information.

Here’s where our results get interesting – one-third of security professionals say service accounts are changed only after an incident or never rotated! They know the significant risk associated with managing and securing service accounts, yet they aren’t sufficiently protecting them today.

What’s the best way to protect service accounts from compromise? You might be relieved to hear that on this topic, hackers and security professionals agree – here is what they told us are the three best ways to protect a service account from compromise:

  1. Remove unnecessary service accounts. This is one of the most effective steps to reduce your risk. Unfortunately, it is often the most neglected area of privileged account governance. It is critical to determine the full life cycle for service accounts from provisioning through decommissioning. If a service account is no longer needed, a process must be in place to decommission those accounts to eliminate vulnerabilities.
  2. Rotate credentials frequently. Service accounts are often set to never expire. Failing to rotate service account passwords drastically increase your risk because service accounts often access sensitive systems. Secure vaulting and password management for privileged accounts across your enterprise infrastructure should be a cornerstone of your security program. Be proactive about this protection and include automated password changing and heartbeat.
  3. Monitor all privileged account activity to detect suspicious behavior. Automated monitoring is key to help track and alert you of suspicious behavior that may indicate a security incident has taken place. The faster you can detect and respond to malicious activity, the less damage you’ll incur.

Monitoring is also essential for compliance and security reviews.  You should be able to get full inventories of your service accounts and have automated audit trails.

Follow these three best practices to get control of your service accounts or face serious consequences. For more key insights from  download our Black Hat 2019 Hacker Survey Report – Hackers & Security Professionals at Black Hat 2019: Where They Agree and Where They Differ.

Suggested articles

Discussion

  • Tony Roth on

    Seems like missed a few things to consider at least in the windows world, don't use domain based accounts unless absolutely necessary and if necessary make sure the accounts are de-privileged if possible. Try to use MSA or GMSA based accounts if possible (these don't require a tool like thycotic to manage passwords (btw thycotic is a great product use it and love it) and limit where these accounts can login and configure logging to monitor incorrect login locations (this helps alert you when things are going south, if you get an alert based on location you know you are being hacked). There are more things to consider then this but doing whats in the article plus these minor additions will help greatly.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.