Identity risks that can leave every organization vulnerable to attack.
In today’s digital landscape, privileged users are the keys to your organization’s most valuable data and assets. A compromised privileged user account can open the door to all kinds of cyber threats.
Drawing from a year’s worth of identity risk assessments of organizations across multiple industry segments, a study by Proofpoint found exploitable privileged identity risks at a rate of 1 in 6 endpoints.
These risks include:
- Unmanaged local admins with stale passwords
- Misconfigured users with unnecessary privileges
- Cached credentials left exposed on endpoints
Privileged users are powerful.
Many organizations are unaware of these risks and therefore are unable to properly manage them.
Privileged users have the ability to reset passwords, change policies, install software, and extract or encrypt data. If an attacker compromises an endpoint of a privileged user, it is at great risk to the company and its critical data. When exploited, identity risks allow attackers to gain initial access, elevate privileges, evade defenses, and in some cases, take complete control.
Unmanaged Identity Risks
Unmanaged identity risks include:
Outdated local admin passwords
Using temp or test admin accounts
or local admins who have not been enrolled in an account management system.
Using default account names such as “Administrator” or “Admin”, for local admin accounts lowers the barrier to entry for attackers. Particularly if these default admin accounts all use the same password.
Outdated passwords is also an identity risk. We recommend admin passwords be updated every 30 to 90 days. The older a password becomes, the more susceptible it is to brute-force attacks, particularly in the case of password reuse.
Failure to set password
Another risk is failing to set a local admin password in the first place. Some may argue in favor of not setting an admin password, however this approach greatly increases the risk of insider attack. And in the case of a lost or stolen device, it could be catastrophic.
Unknown local admins
Another unmanaged risk is the presence of completely unknown local admins. These admins tend to be named “temp” or “test.” In most cases, organizations these admin account have been forgotten, but these accounts are highly privileged and a big risk.
Misconfigured Identity Risks
Misconfigured identity risks fall under a category we call “shadow admins.” Shadow Admin are accounts in your network that have admin privileges but are often overlooked because they are not members of any Active Directory groups.
Exposed Identity Risks
Exposed risks include privileged identity information left in:
- Cached credentials
- In-app password stores
- OS password stores
- Disconnected or “hanging” remote desktop protocol (RDP) sessions
These are the digital equivalent of leaving your username and password written on a sticky note. Attackers have a variety of tools to exploit these credentials.
Web browsers are one of the main sources of exposed identity risks and when privileged credentials become exposed in web browsers, they often go unnoticed. Cyber attackers have automated collection and exploitation tools to steal these credentials. Within minutes, attacks can infect large swaths of an organization.