The Dangers of Hidden Identity Risks (and How to Avoid Them)

Did you know that privileged identities can inadvertently unlock some of your organization’s most valuable assets?

And if one of these identities becomes compromised, this opens the door to cybercriminals, allowing them to wreak havoc within your network.

Once inside, they can do all kinds of damage, including data theft and organizational-wide ransomware attacks.

With that in mind, Proofpoint analyzed data from a year’s worth of identity threat assessments to shed some light on the three hidden identity risks that leave your organization at its most vulnerable.

It quickly became apparent, not surprisingly, that even the best security teams can’t tackle the risks they can’t see.

1. Unmanaged identity vulnerabilities

One of the biggest issues facing organizations is unmanaged identity vulnerabilities. There are three key culprits:

• Outdated local admin passwords
• Temporary admin accounts
• Local admins who have not been enrolled in an account management system

First and foremost, it’s best practice to ensure that all local admins are enrolled in privileged account management (PAM). Despite this, a worrying majority (87%) of local admins are not enrolled in such a system.

The good news is that there are tools available that can help detect these vulnerabilities and ensure each local admin has a unique password.

This reduces the risk of passwords being reused and makes it harder for cybercriminals to compromise these accounts and move laterally through your systems.

Default account names

The trouble is, it’s not just outdated passwords that are the issue. One in five (21%) local admins will still use the default account name ‘administrator’.

This is yet another way to make it easier for attackers to navigate through your IT environment.

And let’s say that these default accounts also use the same password. Well, now there is nothing to stop these criminals from gaining control of every single one of them.

Outdated and unset passwords

Unfortunately, outdated passwords allude to another big security risk: those local admins remain unmanaged.

In 1 in 180 endpoints, local admin passwords are never set right from the start, and failure to set a local admin password can increase the risk of an attack.

So, what can you do? It’s recommended to change your admin passwords every 30 to 90 days. This is because the more outdated a password becomes, the more risk it causes, especially if it’s being reused over and over again.

Unknown local admins

Unknown local admins also pose a risk.

These could be ‘temp’ or ‘test’ accounts that have been created and forgotten about along the way. All too often, no one knows who those admins are or what level of access they are supposed to hold, yet they are highly privileged on the given system and therefore, contribute to risk.

As a result, discovering and tackling unknown local admins should be a top priority.

2. Misconfigured identity risks

Misconfigured identity risks can arise because of shadow admins: users that have permissions beyond the visibility of IT admins and are usually above their station.

For example, a level-1 help-desk employee in a healthcare organization was responsible for resetting passwords, but had also been given level-3 permission, presumedly accidentally, to add domain admins at the same time.

The result of this misconfigured identity is that if this account was compromised, criminals could easily create new accounts that they control as well as escalate their privileges.

Unfortunately, these risks are apparent in far too many organizations. In fact, our analysis revealed that there are examples of misconfigured shadow admins in many organizations, across all sectors.

Perhaps most alarming is the fact that 40% of shadow admin risks can be exploited in just one single step, making this low-hanging fruit all too easy to exploit.

The risk of a full domain takeover

Another risk to your systems is shadow admins who have the power to control the whole domain. Although this is far less frequent, it is far more concerning when it does happen.

13% of shadow admins have domain admin privileges. What’s more, around 10% of endpoints have an unprotected privileged account password, with 26% of those exposed accounts being domain admins.

Once compromised, these accounts allow cybercriminals to do just about anything they want within your network, including harvesting credentials and accessing corporate systems.

Not only this, but data has found that 1 in 50 shadow admins are regular users and not a part of the IT team or normally eligible by policy for increased privilege.

There could be several reasons why these users have been given these permissions. For example, they were mistakenly added to privileged groups, temporarily granted permissions that were later forgotten, or they have previously held an IT position.

Whatever the case may be, it’s important to tackle misconfigured identities right away, ensuring everyone has the correct permissions and that no shadow admins are, well, left lurking in the shadows.

3. Exposed identity vulnerabilities

The final hidden risk is that of exposed identities. This could include privileged identity information that has been left in cached credentials, password stores, or disconnected remote desktop protocol (RDP) sessions.

This is basically the virtual equivalent of writing your username and password down on a piece of paper and leaving it next to your computer.

There are too many tools out there that allow threat actors to exploit these credentials, particularly as 1 in 10 endpoints have exposed privileged account passwords.

But thankfully, being the most common identity risk, it is also one of the easiest to fix.

The best way to tackle these issues is to remove them from the endpoints and web browsers, as these are one of the key sources of these exposed identity risks. In fact, 55% of exposed privileged identities are stored in browsers.

Not only this, but a third of exposed identities are stored as ‘in-app’ credentials and a quarter are from privileged Windows domain accounts. Of those, 41% are shadow admins.

One of the biggest issues here is that these exposed identities can go undetected for so long, enabling attackers to do maximum damage at their leisure.

From this it’s clear to see that every organization is at risk of hidden identity vulnerabilities because they are just that: hidden.

So, if you’d like to know more about unmanaged, misconfigured, or exposed identity risks and the analysis conducted by Proofpoint, check out the full white paper for more facts, figures, and advice.