Humans are commonly regarded as the weakest link in any security strategy, writes Joseph Carson, pictured, Chief Security Scientist and Advisory CISO, at account and password management product company Thycotic.
Cybercriminals would appear to agree. The overwhelming majority of cyber-attacks target individual users hoping to trick them into making a mistake that allows attackers into the network using a compromised account. Hijacking a user’s account is the ideal starting point for an attack before they elevate to a privileged account which may have access to a powerful array of capabilities.
It’s no surprise then that the 2019 Verizon Data Breach Investigation Report found that 32 percent of all breaches involved phishing, while another 29 percent involved stolen user credentials. However, while it is essential to protect user accounts from being hijacked, there is a tendency for businesses to automatically equate privilege management with the accounts of human workers. But in fact, some of the most prized accounts are automated service accounts that are never intended for human interaction.
What are service accounts?
A service account can be defined as any user account that interacts with the system but is used by an application or service rather than a human user. These accounts usually work silently in the background to enable machines and their human users to accomplish any number of daily tasks. They come in a variety of forms with differing levels of capabilities and permissions. Local accounts, for example, are siloed and work within a single machine only, with no connection to other systems. Network accounts meanwhile can access the network and transfer data, while domain accounts work with different network components and communicate with other applications and database infrastructure.
Service accounts often have very high permission levels, sometimes equivalent to that of a privileged account or superuser. For example, a service account that applies software updates across the network, may be given access to everything because it saves having to constantly redefine its permissions. Similarly, IT help desks commonly make use of service accounts for maintenance and trouble-shooting activity, such as applying patches and backing up data.
Ordinarily, these accounts will be actively working behind the scenes and an organisation’s human users will likely have no idea they even exist. Indeed, ideally most service accounts should not even have interactive login capabilities in the first place. However, because IT administrators are only human it is not unusual to find misconfigurations and they have been enabled with interactive login.
Why are service accounts overlooked?
Service accounts will work with a username and password combination just like any normal user account. This is where the risks start to creep in. Left in this state they are vulnerable to any threat actor that manages to acquire the right credentials. Worse still, interactive service accounts are often less secure than normal user accounts. It’s all too easy for IT administrators to overlook them when applying security policies. It follows that they don’t conform to basic best practice such as password rotation or multifactor authentication. Organisations also tend to focus on human interaction in security audits. Service accounts, by contrast, are often left untouched by audits sometimes no alerts are even triggered.
It is not uncommon, for us to discover during penetration testing that administrators have unintentionally left service accounts wide open with default settings untouched. It’s not just in-house IT admins that are guilty of this. Third parties such as consultants, vendors and service providers who find themselves managing a heavy workload are also known to resort to such risky, timesaving short cuts. Leaving the credentials on a default setting is convenient for contractors. The can quickly login to any number of accounts across multiple networks without having to keep track of hundreds of sets of passwords. It also means that a single – probably weak – password is all that stands between a threat actor and unfettered access to multiple organisations.
What are the risks?
Leaving service accounts unmanaged and unprotected has serious security implications for an organisation. Privileges are often elevated to administrator level. Hijacking a service account therefore becomes a breakthrough for any threat actor. At a stroke they may gain a dangerous level of control over the system or entire infrastructure. Poor administrative misconfigurations, such as putting spaces between file paths, will also make it easy for an intruder to elevate privileges during their attack. Service accounts are particularly popular with service providers. If hacked successfully they may be used to lay sophisticated traps as part of larger attacks. The infamous attack on the Ukraine’s energy sector was a powerful example of this. Attackers deployed BlackEnergy malware to cripple the electrical systems. Computer systems were infected with a malware designed to fill their hard discs to appear like a normal system failure. Users naturally contact the help desk for support, and when the IT personnel logged into the system, the malware pounced and stole their credentials, granting the attackers even more access.
Safeguarding service accounts
With so many human-centric threats to contend with, it’s easy to see why a busy IT or security team might overlook service accounts. In addition to scarce contact with human users, service accounts also act very differently to normal accounts. An account belonging to a human user accessing systems at strange hours of the day will likely trigger an alert. Not so a service account. It may be perfectly normal for a service account to performing an update at that time.
Service accounts present such a serious potential threat, organisations cannot afford to ignore them. A recommended first step is to undertake a thorough discovery exercise to determine what accounts are on the system and networks – particularly if there were any not previously known about. Once all accounts have been catalogued, the next step is to conduct a risk assessment and rank them in order of risk to the business. Starting with the most dangerous, all accounts should be subject to proper security processes and classified. Any unnecessary accounts should be deprovisioned.
Moving forward, the company should ensure they follow a standard consistent repeatable process whereby all new service accounts are created in a predictable manner that is consistent with security policies.
In summary
It makes good sense for organisations to bring service accounts back into the fold. Making them visible to IT support teams ensures they will be secured and managed with the same care applied to normal user interactive accounts. Organisations can then be confident they have done all they can to keep essential privileged service accounts safe from misuse by cyber criminals.
