Security Gaps In Business-Critical Identity Services 

Uploaded on 2023-10-03 in TECHNOLOGY--Resilience, FREE TO VIEW

Microsoft Active Directory was first released with the Windows 2000 server operating system and continues to be the identity service of choice for over 90 per cent of organisations. As a primary method of providing authentication and authorisation, AD is exploited in 9 out of 10 cyberattacks.
 
A report by Purple Knight, the free AD vulnerability assessment tool built by Semperis, has found that organisations of all sizes and across every industry are still failing to address Microsoft Active Directory (AD) security gaps that can leave them vulnerable to identity-based cyberattacks.

The survey of IT and security leaders reported an average score of 72 out of 100 on their initial assessment reports in the study of 150+ organisations globally—equating to a low C grade.

With identity-based attacks on the rise, cybercriminals often exploit AD to expand their attacks from one compromised user account to their victim’s entire IT infrastructure. An intruder can, for example, use any unprivileged AD account to read almost all attributes and objects in AD, including the user’s permissions. This information enables them to find and take over computer accounts that are configured with unconstrained delegation.
 
The consequences of such an attack can be disastrous: Once Active Directory is down, the entire organisation grinds to a halt - and AD can take weeks to restore.
 
As an example, the Kaseya attack paralysed as many as 1,500 organisations. An attack on Colonial Pipeline, the largest fuel pipeline in the US, led to shortages across the East Coast. And the attack on SolarWinds’ systems spread to about 18,000 customers. All these attacks involved AD—as do approximately 90 per cent of security incidents, according to Mandiant.
 
Although awareness of the security risks related to AD is growing, the Purple Knight research report indicates that organisations are still struggling to identify and address the vulnerabilities that leave their identity environments open to cyberattacks.
 
The results also corroborate findings from Microsoft: According to the 2022 Digital Defense Report, 88% of Microsoft customers affected by cyber incidents had “insecure AD configuration”. 

Privileged Accounts & Misconfigurations A Particular Issue 

One of the challenges for businesses trying to secure AD is a lack of visibility into the weak spots of the identity service. Complications can arise from inherited or legacy identity infrastructures, with outdated user permissions and inactive user accounts adding to the complexity. Most AD infrastructures were implemented years or even decades ago and have been managed by different administrators over time, accruing a solid misconfiguration debt.
 
Accordingly, the lowest score among the seven AD categories assessed by the Purple Knight tool related to account security. Organisations reported an average score of 61 out of 100, and over half (55 per cent) the respondents reported five or more security indicators in the account security category. Amongst the most common vulnerabilities uncovered were privileged users with weak passwords, unprotected accounts with admin rights, and admin accounts with old passwords.
 
Legacy AD misconfigurations can be a particular issue in larger organisations, which often inherit disparate AD infrastructures through frequent mergers and acquisitions. This is one reason respondents from businesses with more than 10,000 employees reported the lowest average overall security score at 63—nearly 10 points lower than the score across all sizes of organisations.   

Hybrid Infrastructures Adds Further Risks  

With the rise of cloud applications and remote work, more organisations are adopting hybrid infrastructures that combine on-premises AD and cloud-based Entra ID—formerly known as Azure AD—or other cloud-hosted identity services. Hybrid identity lets employees use one login to authenticate to all services across the cloud and on premises, but this adds further risks.
 
Typical vulnerabilities can include inactive guest accounts, which leave an open gate to the Entra ID tenant, and misconfigured conditional access policies. In the report, 13 per cent of organisations reported five or more security indicators in the Azure AD category, which also tracks Entra ID users that are eligible for a privileged role—risking privilege escalation—and risky multi-factor authentication (MFA) settings.
 
Overall, across assessment categories spanning account security, AD infrastructure, AD delegation and Group Policy, insurance companies fared worst, followed by organisations in retail, transport, and public infrastructure. Organisations have significant work to do in closing off identity-related security gaps that are frequently targeted by ransomware groups such as Vice Society, LockBit, BlackCat, and Clop. 
 
Identify Vulnerabilities & Close The Security Gaps

The good news is that remediation is possible once organisations have identified the key vulnerabilities in their Active Directory environment. Users reported improvements averaging 40 per cent and even as high as 64 per cent after using Purple Knight’s expert guidance to systematically address the risks found during their initial AD assessment.
 
However, because AD is a technology that is now nearly a quarter of a century old, many organisations simply lack the skills or experience to find and fix the relevant security gaps. In addition, improving AD security falls through the cracks at many organisations because IT administrators and security professionals work in different teams.
 
Collaboration - both within the organisation and with third-party security experts—as well as regular AD security audits are key to cleaning up risky identity environments and reducing the attack surface for identity-based attacks.
 
Due to the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks. Active Directory and Entra ID will no doubt continue to prevail as business-critical identity services. Securing them should therefore be a priority

Mickey Bresman is CEO and co-founder of Semperis                           Image: monsitj

You Might Also Read: 

In Many Cases Active Directory Is The Last Line Of Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Royal Family's Website Targeted 
Key Security Risks For Small Businesses »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

InformationWeek

InformationWeek

InformationWeek is the world's most trusted online community for business technology professionals like you.

Kount

Kount

Kount's “decision engine” platform is ideal for managing fraud in online/telephone channels that process payments and onboard new customers.

BTWorks

BTWorks

BTWorks provides identity management and anti-phishing / smishing solutions for web and mobile apps.

OneVisage

OneVisage

Our award-winning 3DAuth digital identity platform turns any consumer mobile device into a real-time 3D facial scanner that securely authenticates the user in seconds.

Protiviti

Protiviti

Protiviti consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

Identity Defined Security Alliance (IDSA)

Identity Defined Security Alliance (IDSA)

IDSA is a group of identity and security vendors, solution providers and practitioners that acts as an independent source of education and information on identity-centric security strategies.

CyberASAP

CyberASAP

CyberASAP provides expertise, knowledge and support to convert academic ideas into commercial products in the cyber security space.

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

Neudomains

Neudomains

Neudomains is a Corporate Domain Name Management and Brand Protection Online Specialist. One of the world's top providers of online brand protection and enforcement.

Document Security Systems (DSS)

Document Security Systems (DSS)

DSS anti-counterfeit, authentication, and brand protection solutions are deployed to prevent attacks which threaten products, digital presence, financial instruments, and identification.

Protected Media

Protected Media

Protected Media’s advanced cybersecurity ad fraud solution guards you against current and emerging threats across Connected TV, Display and Video advertising.

Canopius Group

Canopius Group

Canopius is a global specialty lines insurance and reinsurance company and one of the top 10 insurers in the Lloyd’s insurance market.

Wavex Technology

Wavex Technology

Wavex Technology is an award winning IT Services firm offering clients a secure and fully managed IT service.

KT Secure

KT Secure

KTSecure’s mission is to provide proven and productive cyber security solutions and managed services, backed by our highly qualified and passionate team of experts.

Patriot Consulting Technology Group

Patriot Consulting Technology Group

Patriot Consulting's mission is to help our clients manage cybersecurity risk through secure deployments of Microsoft 365.