Home page logo

dataloss logo Data Loss mailing list archives

The top 8 ways that privileged accounts are exploited
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 8 Jul 2014 19:32:09 -0600


In the year since his first revelations, the name of Edward Snowden has
been appearing in the news on an almost daily basis. He has appeared in
articles about the US government, the National Security Agency and the CIA
and reports have even suggested that he has received death threats from
senior US officials.

So, what exactly did Mr Snowden do to become the USA's public enemy number

Basically Edward Snowden is the world's most famous rogue employee. Snowden
is a former NSA contractor who stole highly secretive information and
disclosed it to the media, and the ramifications of his actions seem to
have no end.

Obviously the case of Edward Snowden is very extreme but employees going
rogue is not all that uncommon within organisations. This means that
companies need to ensure all the ‘keys into their IT kingdom' are secure
and all passwords are kept completely up-to-date.

Large organisations typically have thousands of privileged accounts, which
are often left unmanaged. Rogue insiders, former employees, criminal
hackers and sophisticated state-sponsored attackers can exploit these
unmanaged privileged accounts to anonymously access and extract an
organisation's most critical data using these common attack vectors:

        I.            Shared accounts – Looking to cut corners and make
things simpler, systems administrators often re-use the same password
across multiple systems and among multiple administrators. While this may
be convenient for the IT staff, if a hacker or malicious insider can get
hold of this common, shared password, he's just gained access to systems
throughout the network.

      II.            Storing passwords on a spreadsheet – Similar to shared
accounts, one seemingly easy way for an IT team to keep up with all the
administrator passwords they need for their jobs is to store them on a
spreadsheet accessible to the entire IT group. It seems easy, but how can
you track who is accessing these critical passwords and what they're using
them for?

    III.            Don't touch it and it won't break – Large organisations
have many specialised passwords called service or process account
passwords. These passwords are used in services, tasks, COM applications,
IIS, SharePoint and databases. They're difficult to find and track, so
these passwords often remain unchanged. But even if the IT staff does try
to change them, the change can potentially result in system crashes and
downtime in unexpected ways. So, why bother, is the common attitude – at
least until one of these old, static passwords falls into the wrong hands.

    IV.            Social exploits – A seemingly innocuous email might
actually be the finely crafted work of a dangerous hacker. A privileged
user inside a corporate network who clicks the wrong link might unknowingly
be giving a hacker elevated rights into the network. Similarly, a clever
hacker might be able to simply convince an unsuspecting user into revealing
his password or install a flash drive or other device with harmful payload.

      V.            Brute force – This old school model of hacking involves
tools commonly available on the Internet called “rainbow tables” that let
hackers quickly break weak password and gain access to the network.

    VI.            Application exploits - Organisations that fail to stay
up-to-date with required security patches to their Internet-facing
applications are in for a rough ride, with published and unpublished
exploits to Web services software, database platforms, and a host of other
applications poised to give hackers control of your data.

  VII.            Former IT admins and contractors – Former employers and
contractors often leave their jobs with their privileged account passwords
remaining active – even long after the termination of their employment. So
just because someone is no longer employed doesn't mean he can't still
access his former systems and wreak havoc.

VIII.            Default passwords – Many hardware devices, applications
and appliances - like firewalls and UTMs - come pre-configured with default
passwords that are publicly known. If these default passwords aren't
changed, they're an easy access point for a hacker.

Once access is obtained
Once a hacker accesses a password through one of these internal or external
attack vectors, the intruder can leapfrog from system to system,
compromising privileged accounts throughout the organisation until the IT
infrastructure is mapped and its most valued information can be extracted
at will.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

  By Date           By Thread  

Current thread:
  • The top 8 ways that privileged accounts are exploited Audrey McNeil (Jul 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]