Dec 25, 2021
102 Views
0 0

Time to Ditch Big-Brother Accounts for Network Scanning

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Yaron Kassner, CTO and co-founder of Silverfort, discusses why using all-seeing privileged accounts for monitoring is bad practice.
In almost every network, there is a highly privileged service account remotely connecting to all computers. These accounts are usually used by backup, security or monitoring solutions. But using such accounts to remotely login to systems on the network introduces unnecessary risk — it’s a bad practice, and an avoidable one.
An attacker can easily take advantage of these privileged accounts, as follows. 

First, the attacker obtains access to a computer in the network. This can be done by exploiting vulnerabilities, phishing, a supply-chain attack and many other techniques. Then the attacker waits for the service account to connect to the compromised computer. When this happens, the attacker steals the credentials of the service account, and thus obtains domain administrator privileges. From this point forward, it becomes very hard to stop the attacker from complete domain takeover.
It’s important to note that this scenario is not theoretical. This attack vector is very common, since it is so easy to execute.
Many organizations are aware of this threat, and yet they continue to maintain these highly privileged service accounts. Even companies that have been attacked this way will continue to use these service accounts. That’s because the backup, monitoring and security vendors leave them no choice – claiming that’s the only way their solution works.
But there are alternatives. The most straightforward alternative is to have an agent on each computer contact the server for instructions, rather than allowing the server to connect to each computer. 
In addition, the instructions received from the server should be limited to the purpose of the agent. For example:
This way, an attacker that compromises a server would only be able to perform certain actions on the network rather than have complete access, and an attacker that compromises a computer in the network won’t be able to steal the server’s credentials to move laterally. 
This approach works. It’s already being used by many cloud-based solutions since they inherently don’t have access to on-premises environments. Due to this “limitation,” they were forced to come up with more secure ways to remotely manage devices.
So as much as we need backup, security and monitoring capabilities, it’s time to eliminate over-privileged domain service accounts. Here are several best practices to make this happen:
By saying no to granting domain admin privileges where they’re not needed, organizations can close a massive and dangerous security gap in their attack surfaces.
Yaron Kassner is CTO and co-founder of Silverfort.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Share this article:
The security vulnerability could expose passwords and access tokens, along with blueprints for internal infrastructure and finding software vulnerabilities.
Attackers use the Telegram handle “Smokes Night” to spread the malicious Echelon infostealer, which steals credentials for cryptocurrency and other user accounts, researchers said.
The origin of the Monero cryptominer file has been traced to a Russian torrent website, researchers report.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
1 week ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.