Security Gaps In Business-Critical Identity Services 

Microsoft Active Directory was first released with the Windows 2000 server operating system and continues to be the identity service of choice for over 90 per cent of organisations. As a primary method of providing authentication and authorisation, AD is exploited in 9 out of 10 cyberattacks.
 
A report by Purple Knight, the free AD vulnerability assessment tool built by Semperis, has found that organisations of all sizes and across every industry are still failing to address Microsoft Active Directory (AD) security gaps that can leave them vulnerable to identity-based cyberattacks.

The survey of IT and security leaders reported an average score of 72 out of 100 on their initial assessment reports in the study of 150+ organisations globally—equating to a low C grade.

With identity-based attacks on the rise, cybercriminals often exploit AD to expand their attacks from one compromised user account to their victim’s entire IT infrastructure. An intruder can, for example, use any unprivileged AD account to read almost all attributes and objects in AD, including the user’s permissions. This information enables them to find and take over computer accounts that are configured with unconstrained delegation.
 
The consequences of such an attack can be disastrous: Once Active Directory is down, the entire organisation grinds to a halt - and AD can take weeks to restore.

 
As an example, the Kaseya attack paralysed as many as 1,500 organisations. An attack on Colonial Pipeline, the largest fuel pipeline in the US, led to shortages across the East Coast. And the attack on SolarWinds’ systems spread to about 18,000 customers. All these attacks involved AD—as do approximately 90 per cent of security incidents, according to Mandiant.
 
Although awareness of the security risks related to AD is growing, the Purple Knight research report indicates that organisations are still struggling to identify and address the vulnerabilities that leave their identity environments open to cyberattacks.
 
The results also corroborate findings from Microsoft: According to the 2022 Digital Defense Report, 88% of Microsoft customers affected by cyber incidents had “insecure AD configuration”. 

Privileged Accounts & Misconfigurations A Particular Issue 

One of the challenges for businesses trying to secure AD is a lack of visibility into the weak spots of the identity service. Complications can arise from inherited or legacy identity infrastructures, with outdated user permissions and inactive user accounts adding to the complexity. Most AD infrastructures were implemented years or even decades ago and have been managed by different administrators over time, accruing a solid misconfiguration debt.
 
Accordingly, the lowest score among the seven AD categories assessed by the Purple Knight tool related to account security. Organisations reported an average score of 61 out of 100, and over half (55 per cent) the respondents reported five or more security indicators in the account security category. Amongst the most common vulnerabilities uncovered were privileged users with weak passwords, unprotected accounts with admin rights, and admin accounts with old passwords.
 
Legacy AD misconfigurations can be a particular issue in larger organisations, which often inherit disparate AD infrastructures through frequent mergers and acquisitions. This is one reason respondents from businesses with more than 10,000 employees reported the lowest average overall security score at 63—nearly 10 points lower than the score across all sizes of organisations.   

Hybrid Infrastructures Adds Further Risks  

With the rise of cloud applications and remote work, more organisations are adopting hybrid infrastructures that combine on-premises AD and cloud-based Entra ID—formerly known as Azure AD—or other cloud-hosted identity services. Hybrid identity lets employees use one login to authenticate to all services across the cloud and on premises, but this adds further risks.
 
Typical vulnerabilities can include inactive guest accounts, which leave an open gate to the Entra ID tenant, and misconfigured conditional access policies. In the report, 13 per cent of organisations reported five or more security indicators in the Azure AD category, which also tracks Entra ID users that are eligible for a privileged role—risking privilege escalation—and risky multi-factor authentication (MFA) settings.
 
Overall, across assessment categories spanning account security, AD infrastructure, AD delegation and Group Policy, insurance companies fared worst, followed by organisations in retail, transport, and public infrastructure. Organisations have significant work to do in closing off identity-related security gaps that are frequently targeted by ransomware groups such as Vice Society, LockBit, BlackCat, and Clop. 
 
Identify Vulnerabilities & Close The Security Gaps

The good news is that remediation is possible once organisations have identified the key vulnerabilities in their Active Directory environment. Users reported improvements averaging 40 per cent and even as high as 64 per cent after using Purple Knight’s expert guidance to systematically address the risks found during their initial AD assessment.
 
However, because AD is a technology that is now nearly a quarter of a century old, many organisations simply lack the skills or experience to find and fix the relevant security gaps. In addition, improving AD security falls through the cracks at many organisations because IT administrators and security professionals work in different teams.
 
Collaboration - both within the organisation and with third-party security experts—as well as regular AD security audits are key to cleaning up risky identity environments and reducing the attack surface for identity-based attacks.
 
Due to the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks. Active Directory and Entra ID will no doubt continue to prevail as business-critical identity services. Securing them should therefore be a priority

Mickey Bresman is CEO and co-founder of Semperis                           Image: monsitj

You Might Also Read: 

In Many Cases Active Directory Is The Last Line Of Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« British Royal Family's Website Targeted 
Key Security Risks For Small Businesses »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alliance for Cyber Security

Alliance for Cyber Security

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

Independent Security Evaluators (ISE)

Independent Security Evaluators (ISE)

ISE is an independent security consulting firm headquartered in Baltimore, Maryland dedicated to securing high value assets for global enterprises and performing groundbreaking security research.

Upstream Security

Upstream Security

Upstream Security is the first cloud-based cyber-security solution that protects the technologies and applications of connected and autonomous vehicles.

IronNet Cybersecurity

IronNet Cybersecurity

IronNet’s product and services provide enterprise-wide security management and visibility of your network, users and assets.

Czech Accreditation Institute

Czech Accreditation Institute

Czech Accreditation Institute is the national accreditation body for the Czech Republic. The directory of members provides details of organisations offering certification services for ISO 27001.

EMnify

EMnify

EMnify is a Software-as-a-Service (SaaS) company, revolutionizing cellular Internet of Things (IoT).

Keysight Technologies

Keysight Technologies

Keysight is dedicated to providing tomorrow’s test technologies today, enabling our customers to connect and secure the world with their innovations.

ConnectSecure

ConnectSecure

ConnectSecure (formerly CyberCNS) is a global cybersecurity company that delivers tools to identify and address vulnerabilities and manage compliance requirements.

The PenTesting Company

The PenTesting Company

The PenTesting Company is owned and operated by offensive security professionals. Penetration Testing is essentially all we do.

Tenet3

Tenet3

Tenet3's vision is to make optimal cyber strategy development tractable, data driven, with concrete success metrics. The result is cost effective cyber resilience for our customers.

Vanta

Vanta

Vanta helps companies scale security practices and automate compliance for the industry’s most sought after standards - SOC 2, ISO 27001, HIPAA, GDPR, and other security and privacy frameworks.

Curatrix Technologies

Curatrix Technologies

Curatrix Technologies is a Managed IT Service provider based in Hampshire, UK, providing high quality and reliable Managed IT Services since 2015.

Cranium

Cranium

Cranium are an international consultancy organisation specialised in privacy, security and data management.

NeuroID

NeuroID

NeuroID combines the power of industry-leading behavioral analytics with advanced device and network intelligence to create your first line of defense against malicious bots, bad actors, and fraud.

CESAR

CESAR

CESAR is one of the premier R+D and innovation centers in Brazil and a designated Cybersecurity Competence Center.

Cyber Security Certification Australia (CSCAU)

Cyber Security Certification Australia (CSCAU)

CSCAU is the world’s first 'for mission' industry council set up to address small and medium-sized business (SMB) cyber resilience through annually updated certifiable standards.