Service accounts might be the biggest cyber risk you’ve never heard of.
Hackers and cybersecurity professionals alike named service accounts as the most vulnerable targets in Thycotic’s new “Hackers and Security Professionals at Black Hat” report — but for most small and mid-sized businesses they’re not on the radar.
“A lot of smaller businesses who don’t do their own IT or their own development probably aren’t even aware that the service account exists,” said Terry Bradley, chief technology officer at PLEX Solutions LLC.
Service accounts are used in operating systems to run programs or execute applications. They tend to be out of sight, out of mind — until a hacker or a malicious insider uses one as the key to the castle.
Service accounts are a powerful weapon in the wrong hands, and Bradley said there’s the potential for “a lot of mischief.” Usually they’re set up by administrators or developers, and often quickly forgotten. They’re usually exempt from corporate policies requiring complex passwords, have passwords that don’t expire, and run super user or administrator privileges.
“So you’ve got a very powerful account that not a lot of people know about, and it’s potentially using a bad password,” Bradley said. “I’ve seen many, many cases where if the account was Veritas — that’s a popular backup software — the account would be named ‘veritas’ and the password would also be ‘veritas.’
“System admins and developers have a tendency to try to make their lives easy — they’ve got a lot of passwords and lots of hoops they have to jump through — so when they have the opportunity to take a shortcut, it’s tempting. And in many cases, they take that shortcut.”
Because service accounts typically have system/administrative/root level permissions, an attacker who gains control of the process can make changes at that permission level, said Jon Ford, VP of operations at MainNerve.
For a hacker scanning a list of accounts within a network, Bradley said, service accounts stand out “like gems.”
“One of the typical things they’re going to look for first is server accounts,” he said. And by trying passwords that match the username, there’s very little risk of getting locked out or caught.
“In one instance of a penetration test, when we found that we were able to log in to that account with [a password that matched the username], it was a domain admin account,” Bradley said.
Once a hacker infiltrates the domain administrator account, they have access to every system within that domain.
“So you can read any file, you can delete any file, you could install ransomware across all the systems on the domain,” he said. “Once you get to be a super user, you’ve got all the permission you need to do whatever it is you’re there to do.”
And once a hacker is in, Ford said, there’s plenty of time to wreak havoc undetected.
“These types of accounts are often not used directly by an individual, but by a program on the system,” he explained. “When a program is replaced or modified, the (now unneeded) service account is just sitting there with high level privileges and very likely a password that never expires. Since the account is likely forgotten, an attacker that gains control of the service account will have all the access they need to maintain a foothold on the system and pilfer [or] change data.”
For businesses, it’s not a matter of finding and securing a single service account. According to Thycotic’s research, there’s “no shortage of these risky accounts. Most organizations have more service accounts than employees — sometimes up to five times as many.”
Frequently, they have no automated controls in place, and in too many cases, the virtual door is left wide open.
Cybersecurity and digital forensics expert Joseph Carson wrote about being hired to review the cybersecurity protections of a state-of-the-art power station that had gone to great lengths to build itself “a physical and cyber fortress.” The protections were expensive and impressive.
“Then it happened,” he recalled. “Sitting on the table next to the controls was a printed page. It contained all the IP addresses, usernames and passwords for each control station and the service accounts. They had not been changed in more than four years and had all been installed by the manufacturer with default vendor credentials.
“Anyone could have made copies of this list: visitors, former employees or even contractors,” Carson said. “Anyone could have taken a smartphone picture and then instigated an attack at their leisure. The power station never would have seen it coming.”
Small and mid-sized businesses can’t compete with a power station’s resources, but they can take steps to reduce the risk of attack.
The best thing an SMB can do is hire a professional — directly or by contracting with a managed service provider — with the experience to develop security policies and procedures that evaluate and monitor the sensitive areas of their cyber infrastructure, Ford said.
Helpful policies include: periodic review to remove unneeded accounts; prohibiting ‘interactive logins;’ requiring complex passwords; placing expirations for passwords on all accounts; and enabling logging and monitoring for all accounts that have an elevated privilege level so that if a service account is accessed, the damage can be limited.
Bradley emphasized the importance of following corporate password requirements, of third-party reviews — “Developers and system admins are not going to police themselves,” he said — and of detection mechanisms.
“I always tell people that you can’t always prevent hackers from getting into your systems — there’s some really skilled attackers out there,” he said. “So you also want to make sure that you’ve got the right systems in place to detect when those service accounts have been found and they’re being misused. Host-based monitoring, network security monitoring — put in the detection mechanisms to know when your systems have been compromised.”
Even better: Prevent the panicked search for service accounts in the first place.
“We’re kind of talking about it from the status quo — like, these things are out there,” Bradley said. “But ideally, organizations need to get ahead of this so they don’t get in the situation in the first place. That comes back to having security built into your processes, whether that’s the development process, or the system deployment process. Security needs to be integrated into that building of new systems, and the hardening of those systems so that they’re tested before they actually get put on the network. And once they’re on the network, come back and revisit, retest, to make sure that security hasn’t been degraded over time or disabled for convenience.”
Hiring a cybersecurity professional or consultant at the outset can save a business a world of pain down the road, he said.
“It’s not as glamorous as penetration testing. It’s very exciting when you find a way to break into the organization, whereas the security person on the development team is like Debbie Downer saying things like, ‘We need to use secure protocols, we’re not going to make the password the same as a username.’ But if you can prevent those things from ever getting fielded vulnerable in the first place, that’s a huge win,” Bradley said. “It’s going to save you money down the road.”