Earlier this month, Dark Reading reported that Active Directory mis-management by administrators is currently exposing a whopping 90% of businesses to cyber breaches. The research made by Skyport concluded that should an administrator’s password become compromised, the “blast radius will reach nearly every system in the enterprise“.
It’s true — an administrator’s password that falls into the wrong hands can wreak havoc on a company. Using what is effectively the master key into a company’s entire corporate system, the outsider can spend as much time as they like snooping around the whole system with little chance of detection. How? Because traditional security tools like anti-virus software and firewalls aren’t going to detect any wrongdoing when a hacker logs in using the correct credentials.
However, Skyport’s focus on the over exposure of Active Directory administrators’ credentials shouldn’t stop there.
Organisations need to better protect and secure all Active Directory user accounts — not just administrators — to prevent compromised credentials from becoming a threat. While IT administrators are important gatekeepers, any kind of compromised staff credentials leave organisations vulnerable and can be equally as devastating. Just look at what happened to the likes Dropbox, Sony, eBay, Sage, Anthem and Three…
So how can organisations better protect against compromised credentials for all users? Skyport argues, among many things, that organisations should limit domain admin privileges, which would mitigate the damage that compromised credentials can cause. The article also implies that since only 25% of organisations currently use multi-factor authentication (MFA), Skyport is in favour of using MFA to add a layer of protection to passwords.
However, there exists two issues with both of those approaches. First, while limiting admin privileges would indeed mitigate the threat of compromised credentials, it also limits the flexibility of admins, and doesn’t remedy the source of the problem — the fact that credentials might be compromised in the first place. Secondly, MFA isn’t widely used by organisations because, as IS Decisions research found, MFA is complex, time consuming and expensive to roll out — and it impedes end users too much.
IS Decisions’s approach to protecting all Active Directory user accounts doesn’t impede users, doesn’t encroach on the flexibility of admins, and protects everyone within a company — not just the administrators.
We believe in using ‘context-aware’ security, which is fast gaining in popularity. Context-aware security comes with many of the security benefits of MFA but without the cons of lost productivity or admin inflexibility. It works by restricting access to networks through only authorized workstations, laptops, tablets, times of day and geographies, so companies stand a much better chance of keeping out attackers who use real, but compromised logins.
Think about it — if an administrator’s password gets compromised but the organisation has, for example, restricted access to just the unique devices owned by the admin, no hacker using that login will be able to gain access. Crucially, this kind of security would’ve prevented many of the recent high profile cyber attacks.
Context-aware security is well worth looking into, and it’s exactly what we provide through UserLock.