+1-202-802-9399 (US)

Thycotic’s CyberSecurity Publication

POPULAR CATEGORIES

Back to the Basics: Service Account Management 101

November 8th, 2018


Service accounts don’t have to be a nightmare. Get in control now. 

Service accounts are typically used in operating systems to execute applications or run programs, either in the context of system accounts (high privileged accounts without any password) or a specific user account, usually created manually or during software installation.  On Unix and Linux they are often known as init or inetd, and can also launch programs.

Can anyone remember who installed this application? And what was the service account password?  All too frequently asked questions!

Service accounts can be a pain for organizations to manage, especially across multiple accounts for different services, tasks and other applications, and in sync—it’s time consuming and error prone when done manually. Service account password management is another challenge: administrators can’t safely change a service account password if they don’t know where it’s used without risk of bringing down other applications.

Frequently, in software installations, the password for the service accounts either remains the default vendor password (easily found on the internet), or is in the memory of the consultant who installed the software.

20% have never changed their default passwords for privileged accountsAs a result of these bad practices, service account and application passwords are often set to never expire and subsequently remain unchanged year after year. Failing to change service account passwords represents a significant security risk because service accounts often have access to sensitive data and systems.

73% fail to audit, remove or modify default accounts before moving applications to production

There is no shortage of these risky accounts. Most organizations have more service accounts than employees, sometimes up to five times as many!  The accounts are often provisioned without any automated controls set in place. If they are provisioned without any robust process in place then that begs the question: is anyone keeping track of these service accounts when they are no longer needed?

70% fail to fully discover privileged accounts - and 40% don't even try

This is, unfortunately, common in many organizations, and when it comes to securing the organization against cyber-attacks, it’s a really bad practice.  I have seen so many incidents in which the IT Operations team are running around trying to figure out the service account password during a failed upgrade, patch deployment, maintenance mishap, or even worse—during a major security incident. At this point, it is already too late, with end users and the executive team screaming for answers.

Because service accounts are often managed manually from cradle to grave, they are prone to errors.

HERE’S AN EXAMPLE: A HIGH-POWERED SPREADSHEET EXPERIENCE

I was once hired by a state-of-the-art power station. It was relatively new, fully automated with remote controls, and they wanted me to review its cybersecurity protection and security control.

The physical security was impressive. The security system could tell when visitors were 5 minutes away, gave security advanced warning for when visitors should arrive, what they would be driving, and how many people were in the vehicle. If visitors arrived 1 minute before or after the prediction, they would have to deal with armed guards.

All physical doors had access controls, including the engine rooms. Once inside the engine rooms, each engine had its own control valves to physically change pressure and water flow. The control valves were not secured, although the risk of tampering was low. Command and control via the programmable logic controllers (PLCs) and SCADA control systems all featured the latest and greatest cybersecurity advanced threat protection, with millions spent to prevent cybersecurity attacks.

 They had built themselves a physical and cyber fortress.

Then it happened. Sitting on the table next to the controls was a printed page. It contained all the IP addresses, usernames, and passwords for each control station and the service accounts. They had not been changed in more than four years and had all been installed by the manufacturer with default vendor credentials.

Anyone could have made copies of this list: visitors, former employees or even contractors.

Anyone could have taken a smartphone picture and then instigated an attack at their leisure. The power station never would have seen it coming.

A Privileged Service Account with default vendor password can be the difference between a simple perimeter breach and a cyber catastrophe

Do not be another statistic. Get in control of managing your service accounts now.  Prioritizing this will not only help save you time and money; it will also improve your cybersecurity and reduce your risk of a cyber-attack.

The Privileged Access Management Lifecycle will help you get in control of your Service Accounts

Privileged Access Management Lifecycle

Like any IT security measure designed to help protect critical information assets, managing and protecting service account requires both a plan and an ongoing program. You must identify which service accounts should be a priority in your organization. This report briefly describes a PAM lifecycle model which provides a high-level roadmap that global organizations can use to establish their own service account management program.

Define

Define and classify service accounts. Every organization is different, so you need to map out what important applications and programs rely on data, systems, and access. One approach is to reuse a disaster recovery plan that typically classifies important applications and specifies which need to be recovered first. Make sure to align your service accounts to your business risk and operations.
Discover

Discover your service accounts. Use automated PAM software to identify your service accounts, and implement continuous discovery to curb service account sprawl. This helps ensure full, on-going visibility of your service account landscape crucial to combatting cybersecurity threats. Try our free Privileged Account Discovery Tools for Windows or Unix.

Discover service accounts

Manage and protect

Protect your service account passwords. Proactively manage, monitor, and control service account access with password protection software. Your solution should automatically discover and store service accounts; schedule password rotation; audit, analyze, and manage activity; and monitor password accounts to quickly detect and respond to malicious activity.

Monitor

Monitor service account activity. Your PAM solution should be able to monitor and record service account activity. This will help enforce proper behavior and avoid mistakes by employees and other IT users because they know their activities are being monitored.

Detect abnormal usage

Track and alert on service account behavior. With up to 80% of breaches involving a compromised user or privileged account, gaining insights into service account access is a top priority. Ensuring visibility into the access and activity of your service accounts in real time will help spot suspected account compromise and potential abuse.  For example, monitoring when a service account has been used to log on to a system.

Respond to incidents

Prepare an incident response plan in case a service account is compromised. When a service account is breached, simply changing service account passwords or disabling the service account is not acceptable. If compromised by an outside attacker, hackers can install malware and even create their own service accounts or other privileged accounts.

Review and audit

Audit and analyze service account activity. Continuously observing how service accounts are being used through audits and reports will help identify unusual behaviors that may indicate a breach or misuse. These automated reports also help track the cause of security incidents, as well as demonstrate compliance with policies and regulations.  Determine if service accounts are still required, review security controls and update expiration dates.

With a Privileged Access Management solution you can really get in control of your service accounts

FREE Privileged Account Management for Dummies book

Get smart about Privileged Account password security with this quick read

SHARE THIS


The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.

Latest posts by Joseph Carson (see all)


Leave a Reply

*