Privileged accounts can be gateway to breaches

If you examine the rash of recent data breaches, many follow the same distinct pattern, says Adam Bosnian, executive vice president of Cyber-Ark Software in Newton, MA. An attacker obtained access to an administrative or privileged account and then used that powerful entry point to take what they wanted.

Are you guarding your privileged accounts closely enough?

In any computer network, the administrative or privileged account is one used by someone with the authority to do more than simply access the data, Bosnian explains. That person might be an IT professional who supports the system or a senior administrator. They — unlike the typical user who can access the data but not do more — are able to increase their own access or the access of others and do things that might be forbidden to most users, such as downloading large volumes of data.

"Once inside, they leverage the privileged account, or elevate privileges associated with the account, to gain access to additional servers, databases, and other high-value systems only a select few people are actually granted permission to access," Bosnian explains. "The result, as demonstrated in recent breaches, is easy access to millions of sensitive records. This is the same thing that was found in the Utah breach. Hackers were able to bypass the system because a technician configured the server with a weak password, and the attackers elevated privileges from there."

Because these types of privileged accounts can act as a gateway to an organization's most sensitive data and information assets, they have emerged as the primary target for attackers, Bosnian says. They often hack into a privileged account through simple means, such as an easy-to-crack password, spear-phishing (faking the origin of an email to seek unauthorized access), or exploiting zero-day vulnerability (a weakness that is unknown to the system user or the software developer).

"The problem is that privileged accounts are often shared, with passwords that are rarely changed. This remains the great paradox in the world of identity and access management and security in general," he says. "We know that attackers are targeting these incredibly sensitive access points, and yet personal passwords to websites such as Facebook have higher standards of security and strength. Despite controlling access to an organization's sensitive data assets, these shared accounts simply do not have the same security standards applied to them."

Bosnian notes that these vulnerabilities are not limited to the healthcare industry. Auditors from the U.S. Department of Energy recently found similar problems at the Bonneville Power Administration, including 11 servers configured with weak passwords. One had an administrative account with a default password.

"While troubling, reports of this nature are commonplace and are a contributing reason as to why we continually see massive breaches of this nature in the headlines. At some point, businesses across industries need to wake up and understand that privileged accounts and passwords are the no. 1 target for hackers," Bosnian says. "Controlling these access points needs to be a priority."


• Adam Bosnian, Executive Vice President, Cyber-Ark Software, Newton, MA. Telephone: (617) 965-1544. Email: