Last week, we introduced the basics of what privileged credentials are and why they need to be managed, and also covered some universal challenges and best practices applicable to all types of passwords. In today’s blog, the second in our series, let’s examine some challenges more specific to an enterprise’s privileged credentials.

Read the entire series now in Privileged Password Management Explained, the definitive primer on privileged password security.

Challenges to Managing Privileged Passwords

Lack of visibility and awareness of all of the privileged accounts and credentials across an enterprise poses a monolithic challenge—especially for those companies that rely on manual processes and tools. Privileged accounts, many long forgotten, are sprawled across most organizations. Different teams may be separately managing—if managing at all—their own set of credentials, making it difficult to track all the passwords, let alone who has access to them and who uses them. An admin may have access to 100+ systems, possibly disposing them to take shortcuts in maintaining the credentials. Beyond this, as elaborated in the sections below, some types of credentials are virtually impossible to find, let alone bring under management, without third-party tools.

Lack of privileged credential oversight and auditability: Even if IT successfully identifies all the privileged credentials strewn across the enterprise, this does not by default translate into knowing what specific activities are performed during a privileged session (i.e. the period of time during which elevated privileges are granted to an account, service, or process). Privileged access to a superuser account should not amount to ceding carte blanche to the user. Moreover, PCI, HIPAA, and other regulations require organizations to not just secure and protect data, but be capable of proving the effectiveness of those measures. So, for both compliance and security reasons, IT needs visibility into the activities performed during the privileged session.

Ideally, IT should also have the ability to seize control over a session should inappropriate use of the credentials occur. But, with potentially hundreds or concurrent privileged sessions running across an enterprise, how does IT expeditiously detect and halt malicious activity? While some applications and services (such as Active Directory), can log user actions, and while Windows servers using logon events within Event Log data can reveal some behavioral anomalies, expect full coverage over privileged account usage to require a third-party solution.

Sharing of privileged accounts for convenience: IT teams commonly share root, Windows Administrator, and many other privileged passwords so workloads and duties can be seamlessly shared as needed. However, with multiple people sharing an account password, it may be impossible to trace actions performed with an account to a single individual, complicating auditing and accountability.

Hard-coded / embedded credentials: Privileged credentials are needed to facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Applications, systems, and IoT devices, are commonly shipped, and often deployed, with embedded, default credentials that are easily guessable and pose formidable risk until they are brought under management. These privileged credentials are frequently stored in plain text – perhaps within a script, code, or a file. Unfortunately, there is no manual way to detect or centrally manage passwords stored within applications or scripts. Securing embedded passwords requires separating the password from the code, so that when it’s not in use, it’s securely stored in a centralized password safe, as opposed to being constantly exposed as when in plain text.

SSH keys: IT teams commonly rely on SSH keys to automate secure access to servers, bypassing the need to manually enter log-in credentials. SSH key sprawl presents a substantive risk for thousands of organizations, which may have upwards of a million SSH keys—many long dormant and forgotten, but still viable backdoors for hackers to infiltrate critical servers. SSH keys are standard, and more prevalent, in Unix and Linux environments, but are also used across Windows. Admins leverage SSH keys to manage operating systems, networks, file transfers, data tunneling, and more. As with other privileged credentials, SSH keys are not necessarily tied to a single user—multiple people may share the private key and pass phrase to a server, which holds the public key. As with other types of privileged credentials, when organizations rely on manual processes, there is a pronounced tendency to reuse a passphrase across many SSH keys or to reuse the same public SSH key. This means that one compromised key can then be harnessed to infiltrate multiple servers.

Privileged credentials and the Cloud: The challenges of visibility and auditability are generally exacerbated in cloud and virtualized environments. Cloud and virtualization administrator consoles (as with AWS, Office 365, etc.) provide vast superuser capabilities, enabling users to rapidly provision, configure, and delete servers at massive scale. Within these consoles users can spin-up and manage thousands of virtual machines (each with its own set of privileges and privileged accounts) with just a few clicks. One predicament then arises around how to onboard and manage all of these newly created privileged accounts and credentials. On top of this, cloud platforms frequently lack native capability to audit user activity. And, even for those organizations that have implemented some degree of automation for their password management (either through in-house, or third-party solutions), if not architected with the cloud in mind, there’s no guarantee a password management solution will be able to adequately manage cloud credentials.

Third-party vendor accounts / remote access solutions: Finally, another quandary for organizations is how to extend privileged access and credential management best practices to third-party users, such as consultants or other vendors that may perform a variety of activities. How do you ensure that the authorization provided via remote access or to a third-party is appropriately used? How do you ensure that the third-party organization is not sharing credentials, or otherwise exercising poor password hygiene, such as by failing to terminate authorization credentials when an employee departs from the company?

Some Common Password Attack Techniques

Password attacks come from all angles. Some programs, such as John the Ripper and L0phtCrack, can even crack complex passwords, while Pass the Hash toolkits can be lethal without even cracking the password. Here are some common credential exploit tactics:

Next week, in the third and final blog of this series we will cover privileged password management best practices and benefits, along with resources to help you improve your security and oversight of privileged credentials.

Also, for further lessons into how to protect your privileged credentials from both inside and external attackers, check out this on-demand webinar with Security Expert, Nick Cavalancia: A Hacker’s Perspective – Where Your Password Strategy is Lacking.