Security Gaps In Business-Critical Identity Services 

Uploaded on 2023-10-03 in TECHNOLOGY--Resilience, FREE TO VIEW

Microsoft Active Directory was first released with the Windows 2000 server operating system and continues to be the identity service of choice for over 90 per cent of organisations. As a primary method of providing authentication and authorisation, AD is exploited in 9 out of 10 cyberattacks.
 
A report by Purple Knight, the free AD vulnerability assessment tool built by Semperis, has found that organisations of all sizes and across every industry are still failing to address Microsoft Active Directory (AD) security gaps that can leave them vulnerable to identity-based cyberattacks.

The survey of IT and security leaders reported an average score of 72 out of 100 on their initial assessment reports in the study of 150+ organisations globally—equating to a low C grade.

With identity-based attacks on the rise, cybercriminals often exploit AD to expand their attacks from one compromised user account to their victim’s entire IT infrastructure. An intruder can, for example, use any unprivileged AD account to read almost all attributes and objects in AD, including the user’s permissions. This information enables them to find and take over computer accounts that are configured with unconstrained delegation.
 
The consequences of such an attack can be disastrous: Once Active Directory is down, the entire organisation grinds to a halt - and AD can take weeks to restore.
 
As an example, the Kaseya attack paralysed as many as 1,500 organisations. An attack on Colonial Pipeline, the largest fuel pipeline in the US, led to shortages across the East Coast. And the attack on SolarWinds’ systems spread to about 18,000 customers. All these attacks involved AD—as do approximately 90 per cent of security incidents, according to Mandiant.
 
Although awareness of the security risks related to AD is growing, the Purple Knight research report indicates that organisations are still struggling to identify and address the vulnerabilities that leave their identity environments open to cyberattacks.
 
The results also corroborate findings from Microsoft: According to the 2022 Digital Defense Report, 88% of Microsoft customers affected by cyber incidents had “insecure AD configuration”. 

Privileged Accounts & Misconfigurations A Particular Issue 

One of the challenges for businesses trying to secure AD is a lack of visibility into the weak spots of the identity service. Complications can arise from inherited or legacy identity infrastructures, with outdated user permissions and inactive user accounts adding to the complexity. Most AD infrastructures were implemented years or even decades ago and have been managed by different administrators over time, accruing a solid misconfiguration debt.
 
Accordingly, the lowest score among the seven AD categories assessed by the Purple Knight tool related to account security. Organisations reported an average score of 61 out of 100, and over half (55 per cent) the respondents reported five or more security indicators in the account security category. Amongst the most common vulnerabilities uncovered were privileged users with weak passwords, unprotected accounts with admin rights, and admin accounts with old passwords.
 
Legacy AD misconfigurations can be a particular issue in larger organisations, which often inherit disparate AD infrastructures through frequent mergers and acquisitions. This is one reason respondents from businesses with more than 10,000 employees reported the lowest average overall security score at 63—nearly 10 points lower than the score across all sizes of organisations.   

Hybrid Infrastructures Adds Further Risks  

With the rise of cloud applications and remote work, more organisations are adopting hybrid infrastructures that combine on-premises AD and cloud-based Entra ID—formerly known as Azure AD—or other cloud-hosted identity services. Hybrid identity lets employees use one login to authenticate to all services across the cloud and on premises, but this adds further risks.
 
Typical vulnerabilities can include inactive guest accounts, which leave an open gate to the Entra ID tenant, and misconfigured conditional access policies. In the report, 13 per cent of organisations reported five or more security indicators in the Azure AD category, which also tracks Entra ID users that are eligible for a privileged role—risking privilege escalation—and risky multi-factor authentication (MFA) settings.
 
Overall, across assessment categories spanning account security, AD infrastructure, AD delegation and Group Policy, insurance companies fared worst, followed by organisations in retail, transport, and public infrastructure. Organisations have significant work to do in closing off identity-related security gaps that are frequently targeted by ransomware groups such as Vice Society, LockBit, BlackCat, and Clop. 
 
Identify Vulnerabilities & Close The Security Gaps

The good news is that remediation is possible once organisations have identified the key vulnerabilities in their Active Directory environment. Users reported improvements averaging 40 per cent and even as high as 64 per cent after using Purple Knight’s expert guidance to systematically address the risks found during their initial AD assessment.
 
However, because AD is a technology that is now nearly a quarter of a century old, many organisations simply lack the skills or experience to find and fix the relevant security gaps. In addition, improving AD security falls through the cracks at many organisations because IT administrators and security professionals work in different teams.
 
Collaboration - both within the organisation and with third-party security experts—as well as regular AD security audits are key to cleaning up risky identity environments and reducing the attack surface for identity-based attacks.
 
Due to the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks. Active Directory and Entra ID will no doubt continue to prevail as business-critical identity services. Securing them should therefore be a priority

Mickey Bresman is CEO and co-founder of Semperis                           Image: monsitj

You Might Also Read: 

In Many Cases Active Directory Is The Last Line Of Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Royal Family's Website Targeted 
Key Security Risks For Small Businesses »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Panda Security

Panda Security

Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions.

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate.

Virtual Security

Virtual Security

Virtual Security provides solutions in the field of managed security services, network security, secure remote work, responsible internet, application security, encryption, BYOD and compliance.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

RevenueStream

RevenueStream

RevenueStream uses an innovative algorithmic approach to intercept and prevent payment fraud before it even happens.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

Pinpoint Search Group

Pinpoint Search Group

Pinpoint Search Group's recruiters specialize in Information Management, Cyber Security, Cloud and Robotic Process Automation (RPA).

ForAllSecure

ForAllSecure

ForAllSecure’s mission is to make the world’s software safe by pioneering autonomous cybersecurity tools that automatically find and fix vulnerabilities in run-time executable software.

Silicon Cloud International

Silicon Cloud International

Silicon Cloud is a high performance and secure cloud computing platform for engineering and scientific applications.

Mjenzi Cloud

Mjenzi Cloud

Mjenzi Cloud is a provider of cloud IaaS solutions including managed backup services, affordable & secure cloud virtual compute/storage/compute services, bare-metal services and cloud security.

Axitea

Axitea

Axitea designs, implements and develops the solutions best suited to its customers’ needs and their physical and cyber security requirements.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Castlepoint Systems

Castlepoint Systems

Castlepoint Systems is a pioneer in information governance, risk and compliance as a service. An all-in-one solution offering powerful risk management, built in compliance, cybersecurity and audit.

Synagex

Synagex

Synagex Modern IT is a simple IT and cybersecurity solution for businesses.

Worksent Technologies

Worksent Technologies

Worksent is a Trusted white-label offshore support partner for MSPs and MSSPs.

Reveald

Reveald

Reveald is making Exposure Management a reality to solve the biggest challenges in cybersecurity with a trailblazing ‘offense to defense’ approach that gives the advantage back to the business.