A lot of security is invisible in black boxes. This is how a lot of my clients perceive. Frankly, they are not entirely wrong here.
When my security team goes into evaluating and fixing an organization’s network before they fall for a ransomware attack or data breach, I always see at least a few serious problems related to service accounts—vendors that needed access at one point in time, who have carte blanche access to your network OR vendors that have requested that your network is configured in a certain way (the specifics of which make you and your data more vulnerable to attacks).
This year when I attended the Black Hat Conference in Las Vegas—an event that all of the major security companies and cybersecurity experts make an effort to attend—some startling statistics were ringing throughout the halls, catching security-minded experts’ ears.
What was ringing around the conference halls were chatter about how service accounts are becoming one of your biggest vulnerabilities and risks when it comes to cybersecurity. These accounts are one of the biggest and most attractive targets to hackers.
The reason? Hackers can easily go undetected, easily gain privileges within your network and gain access to your most sensitive information.
First off, what do I mean by service accounts?
The easiest way to think about a service account is thinking of it as a ‘non-human’ account. We as users—whether we are in IT or not—need access to the network, computers, files, printers, databases and other devices within the organization.
Similarly, computers—and vendors—need to have similar access in several cases. For instance, when a piece of software (non-human user) may be given a user account. We would call this account a service account.
Service accounts may be used in operating systems to execute applications or even run programs in the background. They are usually manually created or even created when certain software is installed.
Why are security experts struggling with service accounts?
You see, service accounts go under the radar of many in IT. They can be accessed to critical applications and data without anyone ever seeing their actions.
Most in IT professionals do not understand how to detect these accounts and observe unusual activity on them.
In fact, for many they are extremely time-consuming to discover or control. They are also prone to human errors in configuring them correctly—often being managed manually.
Without a doubt, these are the reasons why service accounts are leaving your organization vulnerable and how over time, account sprawl and mismanagement most likely lead to a perpetuating unmanaged, uncontrolled and growing risk (we call this attack surface) within your business network.
I see service accounts as a ticking time bomb to letting hackers in undetected.
Both hackers and security experts agree that one of the biggest foci in cybersecurity in 2020 and beyond is trying to find a way to manage these account.
One thing is clear—if your IT team cannot provide you with at least one credentialed cybersecurity experts (that is provide you details on a CISSP number), you likely will have a hard time remediating some of these hard to see security problems.
One of the most startling pieces of information coming from Black Hat’s 2020 conference is the fact that organizations never change these service accounts—only when there is an actual security incident confronting them that is related to those accounts.
What does this tell me?
IT teams are NOT protecting your network the way they should and you might need to step in and start holding them accountable!
How can you help protect services accounts from compromising your network?
Here are some of the steps hackers and security experts recommend to protecting your network from service accounts:
Remove unnecessary accounts—this is probably the most no-brainer task. The most effective way to eliminate your risk of an attack from service accounts is to simply remove ones you aren’t using. The problem is that most networks have tons of unneeded service accounts on them (IT teams never look at this stuff).
Password policies enforced—another no-brainer is making sure that service account passwords expire. If you have to change your password every single month, why doesn’t a piece of software need to do this at all? One of the biggest annoyances and fraught problems in networks I personally assess is that no one ever changes these account passwords. Make sure to audit your service accounts to see that they are meeting your password policy requirements.
Monitored privileged account activity and detect suspicious behavior—another thing IT teams miss in evaluating active directory (where your user accounts are managed) is not looking for suspicious activity or elevated privileges that allow people or attackers access to more or your critical data and infrastructure. The faster you can detect fishy behavior on your network, the faster you’ll be able to respond and the less damage you’ll have to incur.
Get A Checkup—most cybersecurity experts agree that the best way to know what’s going on in your network is by getting a second pair of eyes to see if improvements to security are needed. One of the most effective ways? Getting a ransomware vulnerability assessment.