Stealthy admins and weak passwords continue to plague enterprises

Feb. 15, 2019
Experts anticipate this problem will worsen unless enterprises prioritize password best practices

Imagine a vast army of unsuspecting employees at various companies around the globe, some with a combination of both weak or compromised passwords, and others with excess access privileges (stealthy administrators) that IT is unaware of. In some cases, an employee might have both. As a result, not only would it be relatively easy for malicious actors to steal these employees’ credentials, the attackers could have the keys to the castle since these users are not monitored as closely as most administrative accounts.

Our latest research suggests these vulnerabilities - weak passwords and excess administrative privileges - are all too common at organizations globally. By some estimates, enterprises will invest more than one trillion dollars globally into cybersecurity solutions by 2021. Yet our study of networks’ cybersecurity posture, released in December, finds basic weaknesses such as simple and compromised passwords and stealth admins with excessive privileges are threatening companies globally.

Our research findings are based on Preempt Inspector, a free app we launched to help enterprises analyze their security posture and identify areas of risk. About 600 organizations have downloaded the app, with 100 choosing to anonymously share security stats with us, including a mix of U.S. (64 percent) and European (18 percent) enterprises, including a healthy distribution between small, medium and large organizations.

In the vast majority of networks we analyzed, we found at least one security issue, including:

●    32 percent of networks had some exposed passwords. Approximately 1 in 3 enterprise networks have some passwords exposed in GPP, which any authenticated user can recover. From our experience, these passwords in some cases are applicable and, in many cases, belong to administrative account (domain or local). Given attackers’ abilities to move laterally and escalate privileges within the network, this number is highly concerning.

●     72 percent of networks had at least one stealthy administrator. In most networks we scanned, we discovered at least one user granted special permissions not through a protected AD group. One such known account is the MSOL account used for Azure AD Connect. However, in most cases (61 percent), we found more than just one account with stealthy privileges.  

Perhaps unsurprisingly, our findings included that larger organizations tend to have better security posture: Preempt Inspector cracked about nine percent of passwords in large organizations, versus nearly 17 percent in small organizations. U.S.-based organizations also tended to fare better than the rest of the world on password policy. (For more on our findings, visit here).

Addressing Enterprise Risk

How can enterprises address these risk factors? First, you must have visibility into users with administrative privileges. It is critical to know who can access what, and where IT privileges are. If IT is not confident in the whereabouts of those with keys to the castle, organizations should consider conducting an audit as soon as possible.

Second, strong password policy is critical. Preempt researchers graded organizations’ password policies from low, medium and high and found only five percent had a strong password policy, defined as mandated complexity (such as 10 or more characters, and complexity in the form of characters and a mix of lower and upper case). Enterprises must mandate password complexity to avoid cases like the breach of SingHealth, Singapore’s largest health organization. One of the factors behind the breach was a local administrator with the password “P@ssw0rd.” After 1.5 million medical records were stolen, it was revealed the Prime Minister’s health records were among the compromised data.

Finally, organizations must have a real-time adaptive response to accompany the visibility into their networks. Threats are not black and white, and you need more than the binary “allow/block” for suspicious behavior to maintain business operations while minimizing risk. Your network should be able to automatically escalate suspicious behavior and act as needed - such as allowing employees to self-verify via multi-factor authentication and other methods of proving they are who they say they are.

Organizations should take note of the fact that in all likelihood, their networks are at risk from a combination of weak or compromised passwords, poor password policies and hygiene, stealth administrators and/or random users with excessive privileges. Compromised credentials were responsible for 81 percent of hacking-related breaches last year, and we anticipate this problem will worsen unless enterprises prioritize password best practices, as well as visibility and control around privileged users.

About the author: Ajit Sancheti is the CEO and Co-Founder, Board Member of Preempt and has over 20 years of experience in IT security and executive leadership. Previously, he co-founded Mu Dynamics (acquired by Spirent Communications) and held various management roles. Before Mu Dynamics, Ajit was part of the Corporate Development Group at Juniper Networks and an integral member of the team that developed the industry’s first Intrusion Detection and Prevention system at OneSecure (acquired by NetScreen). Prior to OneSecure, he spent seven years at Western Digital, holding various engineering and management positions. Ajit received his M.S. in Engineering from the University of Massachusetts, Amherst, and his MBA from INSEAD, France.