Security Gaps In Business-Critical Identity Services 

Please log in to browse. Login now

Microsoft Active Directory was first released with the Windows 2000 server operating system and continues to be the identity service of choice for over 90 per cent of organisations. As a primary method of providing authentication and authorisation, AD is exploited in 9 out of 10 cyberattacks.
 
A report by Purple Knight, the free AD vulnerability assessment tool built by Semperis, has found that organisations of all sizes and across every industry are still failing to address Microsoft Active Directory (AD) security gaps that can leave them vulnerable to identity-based cyberattacks.

The survey of IT and security leaders reported an average score of 72 out of 100 on their initial assessment reports in the study of 150+ organisations globally—equating to a low C grade.

With identity-based attacks on the rise, cybercriminals often exploit AD to expand their attacks from one compromised user account to their victim’s entire IT infrastructure. An intruder can, for example, use any unprivileged AD account to read almost all attributes and objects in AD, including the user’s permissions. This information enables them to find and take over computer accounts that are configured with unconstrained delegation.
 
The consequences of such an attack can be disastrous: Once Active Directory is down, the entire organisation grinds to a halt - and AD can take weeks to restore.

 
As an example, the Kaseya attack paralysed as many as 1,500 organisations. An attack on Colonial Pipeline, the largest fuel pipeline in the US, led to shortages across the East Coast. And the attack on SolarWinds’ systems spread to about 18,000 customers. All these attacks involved AD—as do approximately 90 per cent of security incidents, according to Mandiant.
 
Although awareness of the security risks related to AD is growing, the Purple Knight research report indicates that organisations are still struggling to identify and address the vulnerabilities that leave their identity environments open to cyberattacks.
 
The results also corroborate findings from Microsoft: According to the 2022 Digital Defense Report, 88% of Microsoft customers affected by cyber incidents had “insecure AD configuration”. 

Privileged Accounts & Misconfigurations A Particular Issue 

One of the challenges for businesses trying to secure AD is a lack of visibility into the weak spots of the identity service. Complications can arise from inherited or legacy identity infrastructures, with outdated user permissions and inactive user accounts adding to the complexity. Most AD infrastructures were implemented years or even decades ago and have been managed by different administrators over time, accruing a solid misconfiguration debt.
 
Accordingly, the lowest score among the seven AD categories assessed by the Purple Knight tool related to account security. Organisations reported an average score of 61 out of 100, and over half (55 per cent) the respondents reported five or more security indicators in the account security category. Amongst the most common vulnerabilities uncovered were privileged users with weak passwords, unprotected accounts with admin rights, and admin accounts with old passwords.
 
Legacy AD misconfigurations can be a particular issue in larger organisations, which often inherit disparate AD infrastructures through frequent mergers and acquisitions. This is one reason respondents from businesses with more than 10,000 employees reported the lowest average overall security score at 63—nearly 10 points lower than the score across all sizes of organisations.   

Hybrid Infrastructures Adds Further Risks  

With the rise of cloud applications and remote work, more organisations are adopting hybrid infrastructures that combine on-premises AD and cloud-based Entra ID—formerly known as Azure AD—or other cloud-hosted identity services. Hybrid identity lets employees use one login to authenticate to all services across the cloud and on premises, but this adds further risks.
 
Typical vulnerabilities can include inactive guest accounts, which leave an open gate to the Entra ID tenant, and misconfigured conditional access policies. In the report, 13 per cent of organisations reported five or more security indicators in the Azure AD category, which also tracks Entra ID users that are eligible for a privileged role—risking privilege escalation—and risky multi-factor authentication (MFA) settings.
 
Overall, across assessment categories spanning account security, AD infrastructure, AD delegation and Group Policy, insurance companies fared worst, followed by organisations in retail, transport, and public infrastructure. Organisations have significant work to do in closing off identity-related security gaps that are frequently targeted by ransomware groups such as Vice Society, LockBit, BlackCat, and Clop. 
 
Identify Vulnerabilities & Close The Security Gaps

The good news is that remediation is possible once organisations have identified the key vulnerabilities in their Active Directory environment. Users reported improvements averaging 40 per cent and even as high as 64 per cent after using Purple Knight’s expert guidance to systematically address the risks found during their initial AD assessment.
 
However, because AD is a technology that is now nearly a quarter of a century old, many organisations simply lack the skills or experience to find and fix the relevant security gaps. In addition, improving AD security falls through the cracks at many organisations because IT administrators and security professionals work in different teams.
 
Collaboration - both within the organisation and with third-party security experts—as well as regular AD security audits are key to cleaning up risky identity environments and reducing the attack surface for identity-based attacks.
 
Due to the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks. Active Directory and Entra ID will no doubt continue to prevail as business-critical identity services. Securing them should therefore be a priority

Mickey Bresman is CEO and co-founder of Semperis                           Image: monsitj

You Might Also Read: 

In Many Cases Active Directory Is The Last Line Of Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« British Royal Family's Website Targeted 
Key Security Risks For Small Businesses »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Berkman Klein Center for Internet & Society

Berkman Klein Center for Internet & Society

The Berkman Klein Center for Internet & Society is a research center at Harvard University that focuses on the study of cyberspace.

Kaspersky Lab

Kaspersky Lab

Kaspersky Lab is one of the world’s largest privately held vendors of endpoint cybersecurity solutions.

PartnerRe

PartnerRe

PartnerRe provides multi-line reinsurance to insurance companies on a worldwide basis. Services include Cyber Risk.

Nexthink

Nexthink

Using our solution, hundreds of IT departments effectively balance offering a productive and enjoyable end-user experience with making the right decisions to secure and transform the digital workplace

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Wotan Monitoring

Wotan Monitoring

Wotan Monitoring is the software solution for fully automatic process monitoring, infrastructure monitoring and end-to-end monitoring.

Pryv

Pryv

Pryv is a Swissmade software for privacy, personal data collection, usage, sharing and storage.

Cervello

Cervello

Cervello is a leading provider of comprehensive and proven solutions to protect railways against cyber attacks.

Digital Magics

Digital Magics

Digital Magics is an incubator for innovative startups which offer content and services with high technological value. Areas of focus include IoT, Enterprise Software, AI, Industry 4.0 and Blockchain.

Dynatrace

Dynatrace

Dynatrace provides software intelligence to simplify cloud complexity and accelerate digital transformation.

Cyber Defense Technologies (CDT)

Cyber Defense Technologies (CDT)

Cyber Defense Technologies provides services and turn-key solutions to secure and maintain the integrity of your organization’s systems and data against attacks.

CNF Technologies

CNF Technologies

CNF Technologies is an award-winning cyber company providing technology-focused research and development to commercial, federal, and Department of Defense clients.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.

Eclypses

Eclypses

Eclypses has a disrupting cyber technology, offering organizations an advanced data security solution called MicroToken Exchange (MTE).

Cyber Brain Academy

Cyber Brain Academy

At Cyber Brain Academy, our mission is to provide high-quality IT certification training for the cyber security workforce.

Red Alpha Cybersecurity

Red Alpha Cybersecurity

At Red Alpha, we specialize in recruiting and rigorously training individuals passionate about cybersecurity.