By Tony Goulding, Cybersecurity Evangelist at Centrify
Over time, a causality has emerged that accounts for the majority of security risks for enterprises: privileged accounts lead to data breaches. So much so that the majority of breaches (over 67 percent) in 2020 were caused by credential theft.
Organizations that prioritize privileged credential security have an advantage over their peers by ensuring their operations are more resilient to data breaches. However, there’s a gap that continues to widen between those guarded against a breach and the numerous others that aren’t.
Many have paid attention and embraced the warnings and guidance from analysts, press, and vendors that called for implementing privileged access management (PAM) security controls to mitigate the risk. The question is, did you go far enough?
IT Automation Software and the Attack Surface
As it relates to privileged accounts, the attack surface can be enormous and very diverse. Reducing this attack surface is a primary objective. However, for many organizations, the first – and often, only – focus is on the human administrator and their privileged activities.
Let’s visit another slice of this attack surface that often flies under the radar. Your mileage may vary, but this risk can be just as significant, if not more so. It’s the use of privileged accounts by IT automation software; tools commonly found in IT service management (ITSM), IT operations management (ITOM), and continuous configuration and automation (CCA) platforms, such as asset discovery, vulnerability scanning, and software orchestration.
For example, you may use one tool to scan the network for systems and analyze each one looking for exploits, vulnerabilities, and misconfigurations. And another tool may help you maintain a single system of record for your IT assets by conducting an inventory of each system, feeding results into different tools to show applications, infrastructure, as well as service relationships and dependencies. On top of these, a different tool from a different vendor may be helping you control your IT infrastructure, job scheduling, and inventory management. Like the others, it needs administrative access to IT infrastructure.
In common, they all need to log into IT systems via SSH or WinRM to run commands and scripts with privileges and obtain system-level intelligence.
Therein lies the risk.
Externalizing Credential Management
By default, IT configures these privileged account IDs and passwords statically within the tool. Let’s be clear about what this means. You’re entrusting the keys to every IT system, on-premises and perhaps in the cloud as well, to an application whose core strength is not identity and credential management. Not only that, IT must manually configure dozens or even hundreds of credentials in the tool. Multiply that by the number of tools requiring privileged accounts, and the lights never go off for IT. We haven’t even got to password rotation.
Thankfully, several leading vendors in the space have recognized this. As an alternative, most allow IT to externalize identity and credential management to a third-party solution designed for the job. Relocating credentials to a hardened password vault is the best practice to mitigate this risk. Instead of IT configuring passwords within the tool, the tool fetches them from the vault at scan time. If an attacker compromises the tool, they won’t find any privileged account passwords in its configuration settings, preventing lateral movement to the IT servers and limiting what could amount to a complete compromise of every server in your IT infrastructure, including domain controllers.
Reducing Risk and Adding Value
The value doesn’t end there, however. By now, it’s evident that passwords are inherently weak and introduce risk. IT can use the vault to strengthen passwords and help prevent login denials. Frequent rotation helps mitigate the risk, along with setting long, cryptic passwords. Unfortunately, this falls below the line of high priorities for many IT shops, resulting in a “set it and forget it” mentality. With the vault, you get automatic account password rotation coupled with password quality of service policies. You avoid the risk of stale passwords with low entropy. No longer must IT manually log into each system to change the local account password, then manually update them in each tool to ensure consistency.
The vault can also help prevent scan failures that occur in-between the scheduled password rotation jobs. Let’s say someone (a well-meaning internal admin or a threat actor) changes a local system password, but an ITOM tool is still using the old one. Subsequently, the login would fail, and you now have gaps in system coverage requiring manual intervention. Some password vaults can automatically reconcile out-of-sync passwords in real-time during password check out to ensure the local system account password and the vaulted password are the same. This client-based password reconciliation feature ensures that your tool will always fetch a valid password from the vault with which to log in at scan time.
Because unauthorized access is a high-reward, low-risk endeavor, hackers will continue to seek out and find new ways of gaining access to high-value and sensitive resources. But embracing a defense in depth strategy by externalizing credential management and gaining insight into incremental risk can go a long way toward mitigating or preventing data breaches — even if the specific attack vectors are not yet known.
About the Author
Tony is a Cybersecurity Evangelist at Centrify. He has over 30 years of security software experience and more than 15 decades of experience in identity and access management & privileged access management.
Tony can be reached online on Twitter at @Tony_Centrify and at our company website www.centrify.com