Security Gaps In Business-Critical Identity Services 

Uploaded on 2023-10-03 in TECHNOLOGY--Resilience, FREE TO VIEW

Microsoft Active Directory was first released with the Windows 2000 server operating system and continues to be the identity service of choice for over 90 per cent of organisations. As a primary method of providing authentication and authorisation, AD is exploited in 9 out of 10 cyberattacks.
 
A report by Purple Knight, the free AD vulnerability assessment tool built by Semperis, has found that organisations of all sizes and across every industry are still failing to address Microsoft Active Directory (AD) security gaps that can leave them vulnerable to identity-based cyberattacks.

The survey of IT and security leaders reported an average score of 72 out of 100 on their initial assessment reports in the study of 150+ organisations globally—equating to a low C grade.

With identity-based attacks on the rise, cybercriminals often exploit AD to expand their attacks from one compromised user account to their victim’s entire IT infrastructure. An intruder can, for example, use any unprivileged AD account to read almost all attributes and objects in AD, including the user’s permissions. This information enables them to find and take over computer accounts that are configured with unconstrained delegation.
 
The consequences of such an attack can be disastrous: Once Active Directory is down, the entire organisation grinds to a halt - and AD can take weeks to restore.
 
As an example, the Kaseya attack paralysed as many as 1,500 organisations. An attack on Colonial Pipeline, the largest fuel pipeline in the US, led to shortages across the East Coast. And the attack on SolarWinds’ systems spread to about 18,000 customers. All these attacks involved AD—as do approximately 90 per cent of security incidents, according to Mandiant.
 
Although awareness of the security risks related to AD is growing, the Purple Knight research report indicates that organisations are still struggling to identify and address the vulnerabilities that leave their identity environments open to cyberattacks.
 
The results also corroborate findings from Microsoft: According to the 2022 Digital Defense Report, 88% of Microsoft customers affected by cyber incidents had “insecure AD configuration”. 

Privileged Accounts & Misconfigurations A Particular Issue 

One of the challenges for businesses trying to secure AD is a lack of visibility into the weak spots of the identity service. Complications can arise from inherited or legacy identity infrastructures, with outdated user permissions and inactive user accounts adding to the complexity. Most AD infrastructures were implemented years or even decades ago and have been managed by different administrators over time, accruing a solid misconfiguration debt.
 
Accordingly, the lowest score among the seven AD categories assessed by the Purple Knight tool related to account security. Organisations reported an average score of 61 out of 100, and over half (55 per cent) the respondents reported five or more security indicators in the account security category. Amongst the most common vulnerabilities uncovered were privileged users with weak passwords, unprotected accounts with admin rights, and admin accounts with old passwords.
 
Legacy AD misconfigurations can be a particular issue in larger organisations, which often inherit disparate AD infrastructures through frequent mergers and acquisitions. This is one reason respondents from businesses with more than 10,000 employees reported the lowest average overall security score at 63—nearly 10 points lower than the score across all sizes of organisations.   

Hybrid Infrastructures Adds Further Risks  

With the rise of cloud applications and remote work, more organisations are adopting hybrid infrastructures that combine on-premises AD and cloud-based Entra ID—formerly known as Azure AD—or other cloud-hosted identity services. Hybrid identity lets employees use one login to authenticate to all services across the cloud and on premises, but this adds further risks.
 
Typical vulnerabilities can include inactive guest accounts, which leave an open gate to the Entra ID tenant, and misconfigured conditional access policies. In the report, 13 per cent of organisations reported five or more security indicators in the Azure AD category, which also tracks Entra ID users that are eligible for a privileged role—risking privilege escalation—and risky multi-factor authentication (MFA) settings.
 
Overall, across assessment categories spanning account security, AD infrastructure, AD delegation and Group Policy, insurance companies fared worst, followed by organisations in retail, transport, and public infrastructure. Organisations have significant work to do in closing off identity-related security gaps that are frequently targeted by ransomware groups such as Vice Society, LockBit, BlackCat, and Clop. 
 
Identify Vulnerabilities & Close The Security Gaps

The good news is that remediation is possible once organisations have identified the key vulnerabilities in their Active Directory environment. Users reported improvements averaging 40 per cent and even as high as 64 per cent after using Purple Knight’s expert guidance to systematically address the risks found during their initial AD assessment.
 
However, because AD is a technology that is now nearly a quarter of a century old, many organisations simply lack the skills or experience to find and fix the relevant security gaps. In addition, improving AD security falls through the cracks at many organisations because IT administrators and security professionals work in different teams.
 
Collaboration - both within the organisation and with third-party security experts—as well as regular AD security audits are key to cleaning up risky identity environments and reducing the attack surface for identity-based attacks.
 
Due to the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks. Active Directory and Entra ID will no doubt continue to prevail as business-critical identity services. Securing them should therefore be a priority

Mickey Bresman is CEO and co-founder of Semperis                           Image: monsitj

You Might Also Read: 

In Many Cases Active Directory Is The Last Line Of Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Royal Family's Website Targeted 
Key Security Risks For Small Businesses »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Kaymera Technologies

Kaymera Technologies

Kaymera’s comprehensive mobile enterprise security solution defends against all mobile threat and attack vectors.

ActiveCyber

ActiveCyber

ActiveCyber is a source for news, reviews, learning, and technological innovation in the active cyber defense industry.

J2 Software

J2 Software

J2 Software is a leading African Information Security and ICT business providing information security, governance, risk and compliance solutions.

Kindus

Kindus

Kindus is an IT security, assurance and cyber security risk management consultancy.

Etonwood

Etonwood

Etonwood specialises in infrastructure and vendor technology recruitment in areas including cloud platforms, cyber security and service management.

Securd

Securd

Securd takes opportunities away from your cyber adversaries. Cloud-delivered zero-trust DNS firewall and web filtering protection keep your business network and remote employees safe.

Onesecure Asia

Onesecure Asia

ONESECURE Asia’s expertise and services are built around its mission to provide reliable, robust and scalable technology solutions to cater for its customers’ needs.

Axiado

Axiado

Axiado Corporation is a security processor company redefining hardware root of trust with hardware-based security technologies, including per-system AI.

Shorebreak Security

Shorebreak Security

Shorebreak Securioty specialize in conducting highly accurate, safe, and reliable Information Security tests to determine the risks posed to your business.

Asimily

Asimily

Asimily’s IoMT risk remediation platform holistically secures the mission-critical healthcare devices that deliver safe and reliable care.

ORS Consulting

ORS Consulting

ORS Consulting is a specialist provider of risk management advisory services supporting asset-intensive industries such as chemicals, energy, power and utilities, defence and maritime.

Beyon Cyber

Beyon Cyber

Beyon Cyber offer a complete portfolio of advanced solutions & services for cyber security in Bahrain.

Datapac

Datapac

Datapac is one of Ireland’s largest and most successful ICT solutions and services providers. We have been at the forefront of technology innovation in Ireland for the past three decades.

A&O Shearman

A&O Shearman

A&O Shearman is a law firm at the forefront of the forces changing the current of global business: energy transition, life sciences, technology, private capital, finance and beyond.

Universal Technical Resource Services (UTRS)

Universal Technical Resource Services (UTRS)

UTRS is a technology firm that delivers a wide range of engineering, technical, strategic, and digital services to the public and private sectors.

BeamSec

BeamSec

BeamSec is a cybersecurity solutions provider committed to addressing the human element of risk against the evolving landscape of email-based cyber threats.