Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/16/2021
01:00 PM
Yaron Kassner
Yaron Kassner
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Best Practices for Securing Service Accounts

While service accounts solve many of the challenges presented by automation, they can also create serious problems when it comes to cybersecurity.

Now is the time to establish cybersecurity best practices to prevent service accounts from becoming the attack vector for today's cyber thieves.

Service accounts are responsible for granting the appropriate rights to applications so that they can perform scheduled tasks automatically in the background, reducing the burden on IT staffers. However, they have a dark side, which illustrates how automation of tasks can become so ubiquitous that those actions often occur unnoticed and unmonitored, falling outside the purview of cybersecurity best practices. Simply put, as the number of service accounts in an organization increases, so does the potential attack surface of that organization. 

Related Content:

Building a Next-Generation SOC Starts With Holistic Operations

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

While service accounts can be credited for solving many of the challenges presented by automation, they can also create serious problems when it comes to cyber hygiene. These problems must be addressed to protect organizations from breaches, lateral movement attacks, and numerous other cyber concerns. 

Visibility is the Key to Cybersecurity
"You cannot secure what you are not aware of" might be a hackneyed expression; however, it rings true in the world of cybersecurity. Service accounts are created to implement business processes and, in most cases, are created outside the knowledge of cybersecurity teams. In other words, service accounts go undocumented, unmonitored, and unmanaged, which creates potential attack vectors. 

Over time, problems can arise, as admins fail to keep track of service accounts, change passwords, or make necessary changes for fear that they may create service disruptions. Those factors turn service accounts into static elements that can be compromised without anyone knowing it. One solution is instituting a unified management platform for service accounts. This platform not only discovers active and inactive service accounts but also provides insights into how an account is used and if it is a service account, an account used by a human, or both.  

Service Accounts Must Be Monitored
Having an inventory of service and user accounts will not tell you what an account does. Active monitoring is key to deriving insights into actual account activity. Monitoring should provide visibility into account behavior and determine if an account is displaying abnormal activity. What's more, accounts should be audited, and every authentication attempt should be monitored to detect brute-force attacks or other attempts at compromise. The monitoring platform should also incorporate intelligence to identify known threat vectors and account flaws. Monitoring, auditing, and anomaly detection provide needed insight to cybersecurity professionals to make decisions based upon facts, not assumptions. 

The Importance of Policies
Knowledge without action accomplishes very little in the battle against compromise and cyberattacks. This point should not be lost on anyone attempting to secure service accounts. Policies are a critical tool for addressing account security and should be implemented using clear definitions and more enforcement.  

With service accounts, as well as user accounts, defined policies that enforce security best practices are a must-have in today's complex environments. Innovative solutions will not only allow administrators to define policies but will also suggest the most appropriate policies for any analyzed service account. Polices provide another layer of protection and should enable administrators to define granular elements to fully lock down any abnormal behavior.   

Real-Time Response Is Critical
Policy enforcement is a tactical method for preventing breaches and exemplifies the ability to respond to any unauthorized attempt to access a protected resource. However, the response needs to be immediate as well as automated. When selecting technologies to protect service accounts, administrators must ascertain how well a platform responds to threats. That also means it must incorporate active monitoring and policy enforcement backed by detection and response and do it all in real time. A response to a threat that is delayed by the need for human interaction is less than effective since compromise and lateral movement attacks can happen in a matter of seconds.  

Protecting service accounts from compromises and other attack vectors requires being able to tear down the silos of access and apply intelligence to identifying service accounts so that policies can be defined to protect them from compromise. What's more, in today's fast-paced world of cyberattacks, automation has become a must, and automated responses must happen in real time before any damage can occur. This combination of automation, discovery, policy, and response is the difference between successfully protecting service accounts and exposing them to attacks. 

Yaron Kassner is CTO and co-founder of Silverfort, a provider of unified identity management technology. He is a recognized expert in cybersecurity and big data technology. Prior to founding Silverfort, Yaron served as a big data expert consultant for Cisco and also worked on ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...