It's easy to fall into the trap of thinking of privileged accounts in terms of the human users who have them. But privileged accounts are also extended to machines and systems to allow them to interact.
Organizations typically have two to three times more privileged accounts than they have employees. Carson notes that every system that gets deployed comes with a default account, and those systems get connected to service accounts to maintain them. Each virtual machine that gets deployed also receives privileges that don't expire when the machine they're associated with get spun down. And if a VM is cloned, those privileges get cloned along with them. As a result, organizations often wind up with large numbers of rogue privileged accounts with access to their environment.
"Thus, hijacking privileged accounts gives attackers the ability to access and download an organization's most sensitive data, poison data, broadly distribute malware, bypass existing security controls and erase audit trails to hide their activity," Thycotic writes in the report. "It is critical to proactively manage, monitor, and control privileged account access — these accounts are necessary to today's IT infrastructure and ensuring they are securely managed is critical."
To make matters worse, organizations still frequently rely on manual systems like spreadsheets to manage privileged account passwords. Not only is that inefficient, Carson notes that such systems themselves are easily hacked, posing a major security risk to the entire enterprise.
"Privileged Account password protection provides a comprehensive solution to automatically discover and store privileged accounts, schedule password rotation, audit, analyze and manage individual privileged session activity and monitor password accounts to quickly detect and respond to malicious activity," Thycotic writes. "This adds a new layer of security to protect privileged accounts from inside the network."
3. Extend IT security awareness training
Most security professionals believe that human beings are the weakest link in any organization's security.
"As more sophisticated social engineering and phishing attacks have emerged in the past few years, companies need to seriously consider expanding their IT security awareness programs beyond simple online tests or acknowledgements of policies," Thycotic writes. "Especially as personal mobile devices are increasingly used for business purposes, educating employees on secure behaviors has become imperative."
Security awareness training has a history of variable results, though Steve Durbin, managing director of the Information Security Forum (ISF) believes that a program that seeks to embed positive infosec behaviors into business processes can transform employees from weakest link into first line of defense.
"The process itself may be the problem," Durbin says. "It may be you have a particularly complex system or cumbersome process and it doesn't have to be that way. Ask yourself: 'If we were starting fresh, how would we build security into this particular process that would make it easy for people to conform?"
Sign up for CIO Asia eNewsletters.