p: +1 202-802-9399 e: sales@thycotic.comwww.thycotic.com

PRIVILEGEDACCOUNTMANAGEMENT

Hackers confirm an alarming lack of protection for privileged accounts

It’s imperative that organizations start implementing best practices to protect privileged account access around the sensitive credentials most sought after by attackers today. This report contains several best practices organizations can use to protect their privileged accounts, enforce stronger security policies and stop a breach in its tracks, including:

“ IF YOU DON’T HAVE GOOD PRIVILEGED ACCOUNT MANAGEMENT, ATTACKERS

CAN TAKE YOUR CREDENTIALS AND START ACTING LIKE A TRUSTED USER. ”

1

According to Thycotic’s 2015 Hacker Survey conducted at the annual Black Hat conference, hackers continue to easily compromise privileged accounts — the “keys to the kingdom” that help them unlock access to virtually any part of your network, including mission critical data. The report highlights disturbing news for security professionals and IT administrators alike. Despite multi-millions of dollars invested in cybersecurity this past year, hackers shared several startling findings:

Discover rogue accounts and secure them immediately.

Actively audit and monitor privileged user access.

Enforce strong password policies for end-users

The takeaway from this year’s Hacker Survey is clearly expressed by cybersecurity expert Dave Shackleford of IANS:

believe it’s as easy--or even easier—to steal privileged account credentials today compared to the past two years!

reported that privileged account credentials are their most coveted target, giving them the most direct access to sensitive data.

find privileged credentials in unprotected files such as spreadsheets.

9 in 10 Hackers 45% of Hackers 94% of Hackers

2

3

4

Rotate passwords on privileged endpoints constantly.

Thycotic Black Hat 2015

Hacker Survey Executive Report

Introduction: A growing focus on Privileged Account security Data breaches continue to plague business enterprises daily, and it’s nearly impossible to stop attackers from advancing into the basic layers of a company’s IT infrastructure. Today, the perimeter is not the security force it once was. Attackers are bypassing perimeter security constantly, taking advantage of porous flaws that allow them some kind of access within your network – regardless of whether the business is a small operation or global enterprise. The key to protecting your network and critical data is to learn how attackers think so you can add the right layers of security designed to stop attack efforts from becoming successful. Despite increased, or at least commensurate, levels of IT security spending over the past two years, hackers today continue to compromise corporate networks with ease. It seems that even as more security solutions and tools are deployed, just as many vulnerabilities are introduced that can lead to network penetration. In today’s cyber security arena, the notion of using a traditional perimeter firewall as your primary line of defense is no longer the impenetrable wall it used to be, as hackers and malicious actors consistently find ways to sneak past the first trusted layer of defense. The combination of BYOD, distributed networks, mismanaged user access, and the sheer volume of external attacks have created a complex series of threat vectors that require unique defense-in-depth strategies, starting with inside the perimeter at the core of the infrastructure and working outward from there. According to a 2014 report sanctioned by Thycotic and IANS Research, 62% of data breach success directly resulted from the abuse of privileged account credentials, stolen by attackers from deep inside the network. This proves that traditional perimeter defense isn’t enough to stop attackers from achieving their goals. In an effort to learn more about the methods by which hackers are able to successfully break into and compromise enterprise networks, Thycotic sponsored an official poll conducted live onsite at Black Hat USA 2015. Thycotic secured 201 responses from both self-identified white hat and black hat hackers, and the results documented herein reveal some of the methods they use to infiltrate networks, and demonstrate the focus with which they target privileged account credentials.

Thycotic Black Hat 2015

Hacker Survey Executive Report

75% of hackers see no improvement in the protection of privileged account credentials.

When asked how the level of difficulty has changed in terms of the ability to compromise privileged account credentials, a vast majority (75%) of the survey respondents indicated it is just as easy today as it was two years ago. What’s more, an additional 12% said that it is “even easier” today, despite increased security spending. When combining those two respondent sets, a clear picture emerges in which nearly 9 in 10 hackers believe it is as easy or even easier to steal privileged account credentials today.

Only 6% of hackers have NOT found privileged account credentials in unprotected files.

Thycotic Black Hat 2015

Hacker Survey Executive Report

One of the more foundational security practices in any organization is to protect credentials in encrypted databases, or some kind of centrally managed solution, in order to limit exposure. Yet 94% of hackers indicated they have found privileged account credentials – arguably the most important source of access to a network – in unprotected files at least some of the time. In fact, 50% of hackers said this is the case either “all of the time” (20%) or “most of the time” (30%) when they get their foot into the door of a network and start looking around. The dangers here are immeasurable, as privileged account credentials essentially serve as the keys to the kingdom and can unlock access to virtually any part of the network, including mission critical data sources.

Hackers say sensitive credentials are the keys to large amounts of critical data.

Perhaps not surprising after the previous finding, hackers covet privileged account credentials because of the access they provide to critical data. In fact, when given the choice between privileged account credentials, end user credentials, user documents and files, and network configuration information, 45% of hackers reported that privileged account credentials are the targeted asset that provides them the most direct access to data. End user credentials, which generally have more limited access rights assigned to

them, were the second choice for hackers at 33%. Although limited, exposed end-user credentials still pose a major risk because they are often the first target utilized in the attack chain to gain entry-level access into the network. Using this as a foothold in the network, attackers then leverage a myriad of methods to elevate the privileges of those end-user accounts or compromise existing privileged accounts in order to gain full access to the critical data they are targeting.

“If you don’t have good privileged account management, attackers can take your credentials and start acting like a trusted user.” – Dave Shackleford, Lead IANS Faculty

Thycotic Black Hat 2015

Hacker Survey Executive Report

Hackers identify Healthcare as a top target.

Given the relative value of personal health information (PHI) to hackers, in contrast with credit card numbers, healthcare organizations are at the top of the list when it comes to targeted industries. The hackers surveyed at Black Hat also indicated that healthcare is the industry that seems the most vulnerable to them as well. When asked which industry (among healthcare, financial services, government, oil and gas/energy, and education) they considered healthcare be the ripest target for breach vulnerability – healthcare was the leading answer of 29% of all respondents. Financial services and government followed closely though, garnering 25% and 24% respectively. Interestingly, despite the various reasons that hackers might target oil and gas/energy concerns – such as hacktivism, terrorism, or simply financial gain – only 1 in 10 respondents considered that industry to be the most vulnerable to breaches. Recommendations As a mandatory response for the continuing trend of credential theft and privileged account abuse regardless of current security spends, it’s imperative that organizations begin practicing some level of privileged account management and access management around the sensitive credentials most sought after by attackers today. Privileged account management is a segmentation of IT security that securely discovers, controls, and manages privileged account passwords and access to those accounts. As the data shows, hackers are not going to stop targeting these credentials any time soon. Below are some best practices for organizations to protect privilege accounts, enforce stronger security policies and stop a breach in its tracks.

Thycotic Black Hat 2015

Hacker Survey Executive Report

1. Discover rogue accounts and secure them immediately. Often, organizations have thousands of privileged accounts floating around their network that they are not always aware of. Or, as seen in the survey data, hackers tend to come across necessary credentials in unsecured files like spreadsheets. These accounts include: local administrator, root accounts, domain administrator, and service accounts to name a few. By properly discovering these accounts on a scheduled basis and automatically bringing them into a secure, encrypted vault, organizations can create an active inventory of their usage, properly vault credentials and begin managing who has access to these sensitive accounts.

2. Rotate passwords on privileged endpoints constantly. Because passwords are often a burden to change manually, many credentials on privileged endpoints are left stale for years, making them ripe for the picking for an attacker looking to escalate privilege during an attack. By constantly rotating privileged account password lifecycles on a regular basis, you’re stopping attackers in their tracks from escalating privilege. During lifecycle management, make sure you’re using a PAM solution to generate and rotate complex, strong passwords that are difficult to crack.

3. Actively audit and monitor privileged user access. While securely vaulting credentials protects them from direct exposure, and restricting user access to credentials limits potential misuse, it is still important to build in a layer of monitoring around the use of those credentials in order to verify that they are used appropriately and not abused. Audit trails are a must, to show who accessed the credential, when they did so, and what was done with the credential. Additionally, utilizing user or session monitoring tools can provide a recording of the activity performed with the privileged credential to provide a forensic tool that can both determine what sort of malicious activity took place on a system, or be used as a disaster recovery function to see what mistakes may have been made to impact a system and more quickly undo the damage done.

4. Enforce strong password policies for end-users. While privileged accounts are the most coveted credentials to provide attackers critical data access, end-user passwords are still an essential checkmark in a hacker’s attack chain. Enforcing strong password policies on end-user credentials helps protect those identities from being compromised during an attack. Passwords for end-users should be reset, at a minimum, every 30-90 days, and be complex. Password changes should be audited and performed via a self-service password reset mechanism to ensure your security policy’s password complexity requirements are enforced, provide an audit log for compliance, and improve employee experience by greatly reducing help desk calls, empowering end-users to take control of their own password resets, and increasing ROI for internal support costs.

Survey Methodology In August 2015, Thycotic surveyed 201 self-identified hackers live at the Black Hat 2014 event. “Hackers” were defined as official attendees of the Black Hat conference who personally identified themselves as a hacker at the time of the poll. Respondents remained anonymous to protect their personal identity. For more information, please email sales@thycotic.com.