Your company is at risk, and it’s because of your IT administrators and DevOps.
Rarely do we start off a blog post with such strong accusatory language, so please forgive us, but there has been a growing trend in the last few years, and it is poised to become a wider lane for attackers to hold your organization for ransom.
To clarify, the trend we are referring to is credential theft which has been growing over the last few years.
“The human element continues to be a key driver of 82% of breaches, and this pattern captures a large percentage of those breaches. Additionally, malware and stolen credentials provide a great second step after a social attack gets the actor in the door, which emphasizes the importance of having a strong security awareness program.”
Verizon DBR 2022
IT Administrators are people too.
As Verizon points out in the quote above, some of the largest successes in attack vectors are stolen credentials VIA social engineering. IT administrators, while generally well-informed and security-focused, are still human. Some of the largest breaches in history involved socially engineering IT administrators to provide credentials to an attacker VIA various methods to obtain access to an organization’s environment.
People have bad habits and become comfortable.
Another trend bad practice IT administrators and DevOps groups have been committing forever: The mishandling of administrative accounts and service accounts.
These accounts are typically built-in administrative accounts, default admin accounts, or service accounts that are still using their default passwords, weak passwords, or in the case of service accounts, have more access than needed. Each of these offenses is exactly what attackers are looking for, and they will find them.
Why this should be a top priority for you.
Let’s expound on Verizon’s quote to make this crystal clear. When managing your organization’s technology infrastructure, administrative accounts are the gatekeepers of your company’s sensitive information. Ensuring functions are performed using dedicated administrative accounts separate from daily driver accounts is critical. These daily driver accounts are typically the same account people use to log into their computers and email, giving them a larger attack surface for phishing and malware compromise tactics.
Administrative accounts are often granted higher levels of access and permission to sensitive systems and data, which makes them an attractive target for attackers. It can be a bad combination if they are one and the same.
Dedicated administrative accounts.
Businesses can minimize the risk of account compromise and unauthorized access to sensitive information by using dedicated administrative accounts. These accounts should only be used for administrative tasks and not for any other purpose. This separation of duties ensures that even if an attacker gains access to a daily driver account, they will not have the same level of access and permission as they would if they were able to compromise an administrative account.
Yes, even if your administrators are security experts.
Even if a user is an administrator with proper training, it is still important to separate daily driver accounts from performing administrative functions. Administrative accounts are typically granted more privileges and access rights than regular user accounts. Therefore, if an attacker can compromise an administrative account, they would have access to sensitive systems and data, which could severely damage the business.
By separating daily driver accounts from administrative accounts, businesses can limit the risk of account compromise and restrict access to sensitive information. This separation of duties ensures that users only have access to the systems and data needed to perform their duties. This can help to prevent accidental or intentional misuse of administrative privileges, such as deleting critical data or changing system configurations.
Separating administrative accounts from daily driver accounts can make managing security and compliance requirements easier. It allows businesses to more easily monitor and audit administrative activity, ensuring that actions are taken in accordance with company policies and procedures.
Level down. It’s your only hope.
Leveling down is one of the best ways to mitigate these risks. Here are some ways to get started.
Audit and Assess
Depending on your resources, this can be completed with in-house talent or an external vendor.
We recommend having an identity expert review your needs and environment to give you a comprehensive review. They can typically be done for less than you think!
At StrataNorth, we have identity experts that can help you review your environment for potential identity vulnerabilities, create a plan, help remediate, and even set up a support program.
That said, let’s review some ways to tackle audit and assessment of your existing environment.
Taking inventory is a crucial first step in identifying potential security risks in your organization. Here are some steps you can take to conduct a comprehensive inventory:
Note: It is important to know that it is preferred to perform the list as you find vulnerabilities that need to be remediated. For example, as you find a vulnerable account, you can review where that falls within your policies, remediate the account and then grant training to the system owner. This iterative approach is preferred over remediating only when everything is found.
- Identify all systems and devices: Make a list of all services, systems, and devices used in your organization, including SaaS applications, servers, workstations, laptops, and network devices. Identify the accounts that have access to these systems and devices and their access level. This includes the built-in admin accounts.
- Identify all user accounts: Identify all user accounts used in your organization, including those for employees, contractors, and vendors. Make a list of each account name and the level of access each account has, including administrative privileges.
- Identify all service accounts: Identify all service accounts used in your organization, including those for automated tasks such as backup and monitoring or API connections for integrations. Make a list of each account name and the level of access each account has.
- Document everything: Document all the information you collect about your systems, devices, user accounts, and service accounts. You can use a spreadsheet or assets management system to keep track of everything. The important thing is to know what is out there.
Review your policies and procedures for accounts.
Reviewing policies and procedures is important in identifying potential security risks in your organization. Here are some steps you can take to conduct a comprehensive review:
- Identify security policies and procedures: Make a list of all security policies and procedures used in your organization, such as password policies, access control policies, and account policies.
- Review policies and procedures: Review each policy and procedure to ensure they align with best practices for security. Ensure they address current security threats and risks and are up-to-date with the latest technologies and trends.
- Identify gaps and weaknesses: Identify any gaps or weaknesses in your policies and procedures. Look for areas where policies or procedures are not followed consistently or do not provide adequate protection against potential security risks.
- Develop a plan to address gaps and weaknesses: Once you have identified any gaps or weaknesses in your policies and procedures, develop a plan to address them. This may include updating policies and procedures, providing additional employee training, or implementing new technologies to improve security.
You will need to implement and enforce the policies and procedures and implement a continuous improvement program to ensure they remain effective.
Remediate
Once you have identified accounts for remediation and identified the policies and procedures for compliance, you will want to remediate them to align with your organizational standards. Here is a checklist to keep in mind when remediating:
Default admin account credentials
- Change the default admin account credentials to a strong and unique password.
- Disable or delete any default admin accounts that are not needed. Be sure to check with the vendor to ensure this is supported and will not result in any lockout or loss in the system.
- Implement multi-factor authentication (MFA) for all admin accounts where applicable. If there is no native MFA, ensure the system is behind a VPN connection secured with MFA.
Weak admin account passwords
- Enforce a password policy that requires strong and complex passwords.
- Implement a password manager to ensure passwords are not reused or easily guessable.
- Use MFA to add an additional layer of security.
Shared admin accounts
- Eliminate the use of shared admin accounts and instead create individual accounts for each administrator. If utilizing a secrets management solution such as Cyberark, it is recommended to use generic admin accounts instead of named admin accounts.
- Implement an access control system to restrict access to admin accounts based on the specific tasks that each administrator needs to perform.
- Use MFA to add an additional layer of security.
Service accounts with too much access
This one is especially sensitive as these accounts can perform many background tasks that are not easily visible to the business. For example, with integration accounts such as enabling SSO for Salesforce with OKTA, administrators will want to use an admin account to perform this connection. This is an example of excessive access and is not recommended.
- Review and assess the permissions of each service account to determine if they have more access than necessary.
- Implement the principle of least privilege, granting service accounts only the minimum access required to perform their tasks.
- Regularly monitor and review the activity of service accounts to detect any unusual or suspicious behavior.
Admin awareness and user awareness training.
Conducting user and admin awareness training is an important step in reducing the risk of security breaches in your organization. Here are some steps you can take to develop and implement effective user awareness training:
- Identify training needs: Identify the training needs of your employees based on their job responsibilities and the types of data and systems they have access to. For example, employees who handle sensitive customer information may require more training than employees who do not.
- Develop training materials: Develop training materials that are clear, concise, and easy to understand. Include information on creating strong passwords, identifying and avoiding phishing scams, and best practices for using company-owned devices and systems.
- Use interactive training methods: Use interactive training methods, such as role-playing exercises or simulated phishing campaigns, to engage employees and help them learn more effectively.
- Make training mandatory: Make training mandatory for all employees, and require them to complete it regularly. Consider using online training tools or other automated methods to make it easy for employees to complete training.
- Reinforce training through communication: Reinforce training through regular communication with employees, such as newsletters or security bulletins. This can help keep security awareness top of mind and encourage employees to remain vigilant.
- Monitor and measure effectiveness: Monitor and measure the effectiveness of your training program over time. Use employee surveys or other feedback mechanisms to gather feedback and improve as needed.
You will want to focus on providing the appropriate training for the level of the individual and their job responsibilities. An IT administrator with over 20 years of experience with security certifications will need different training from a sales executive who is new to the workforce. Train appropriately!
Epilogue
We hope this blog post gave you some insight into how your IT administrators can be an important defense against compromise but can also be used against you. While there is a plethora of information here, there can be much more to consider when implementing the strategies mentioned in this article. As each business is unique, so are its security needs and, more importantly, its risks.
How StrataNorth Can help.
If you are ready to transform your business’s security and identity landscape and are looking for experts to guide you, StrataNorth has security and identity consultants with decades of experience. We can help you reach security and identity nirvana and give you a roadmap for success. Reach out for a no-cost, no-obligation chat with a security and identity expert today.