1(630)802-8605 Ravi.das@bn-inc.net

As we all know, one of the main targets for a Cyberattacker has always and will continue to be so for a long time, the password.  There are many tried and true techniques of getting at this, ranging from all out, brute force attacks to dictionary attacks to password cracking and Phishing.  However, it is the last method that the Cyberattacker seems to favor the most in their quest for your password.

After all, for them, it is pretty easy to send out an Email luring their victims to a spoofed-up website, having him or her login, and voila, the password is now gone forever.  But believe it or not, Cyberattackers are now starting to demonstrate a new trend.  The days of going after average folk seem to be dissipating a bit, and now, they are favoring more high value passwords.

These are the keys that unlock the IT and Network Infrastructure of a business or a corporation.  Yep, you got it.  What they want now are the administrative passwords and other forms of access rights.  It only makes sense, right?  I mean a Cyberattacker can go after 100 victims, maybe get 20 passwords which may or may not have a lot value to them.

But, with accessing perhaps just one or two administrative level passwords, the Cyberattacker has a much greater probability of gaining much more valuable assets, namely the Intellectual Property (also known as the “IP”) and using that for even higher financial gains and rewards. 

This trend has been substantiated by a survey that was conducted by a Cybersecurity firm known as “Thycotic”.  It was a rather informal market research project and was distributed to 300 attendees at the recent Black Hat conference that was held from August 3rd to the 8th.

Here are some of the results of this particular survey:

*49% of them claimed to be hackers (this is was the good kind, only 4% of them said they had criminal intentions);

*51% claimed that they were security professionals (no exact titles were given);

*When asked which administrative like passwords would be the most favored by a Cyberattacker, these were the responses:

               *Domain Admin Accounts @34%;
               *Root Accounts @30%;
               *Service Accounts @20%
               *Local Accounts @12%;
               *Default Built-in Accounts @4%.

*When asked which of the above are the most vulnerable to a Cyberattack, here is what was discovered:

               *Domain Admin Accounts @26%;
               *Service Accounts @24%;
               *Root Accounts @18%;
               *Local Accounts @17%;
               *Default Built-in Accounts @15%.

*In order to get the above-mentioned administrative accounts, the survey discovered that the following kinds of environments are most favored:

               *On-premises @30%;
               *Cloud @29%;
               *Hybrid cloud-on-premises @17%;
               *Supply chain contractors @19%.

*What kinds of security measures are taken to protect these passwords? Here is what the survey also discovered:

               *Complex passwords;
               *Multi-Factor Authentication;
               *Privileged access controls;
               *Frequent password rotation;
               *Auditing;
               *Alerting. 

My Thoughts On This

Actually, the survey gets even more interesting.  Half of the respondents (both hackers and the so called security professionals) claimed that once the administrative passwords were stolen and the assets hijacked, that it would be sold into the Dark Web for a profit, and 5% would use it to launch a Ransomware attack (which seems like an abnormally low number to me – after all, a Cyberattacker can get a lot of $$$ with this kind of threat vector).

Even those polled that claimed to be hackers did not seem to have a very favorable rating of the major Cloud providers when it came to their levels of security with regards to protecting the administrative level passwords of their clients.  For example:

*Only 32% had a favorable opinion of AWS;

*Only 22% had a favorable opinion of Google cloud services;

*Only 20% had a favorable opinion of Azure.

So, given light of this situation, what are some of the best defense to protect the administrative level passwords that are used in your IT/Networking environment?  Here are some suggestions from the respondents that were polled:

*Remove any unused service accounts;
*Have a regular schedule to keep changing passwords;
*Monitor all privileged account activity to in order locate any suspicious or anomalous behavior;
*Make use of Password Managers;
*Implement Multi-Factor Authentication (MFA);
*Have and maintain regular Employee Security Awareness Education training programs.

I’ve got to be honest, when I first started writing this blog, and even until now, I am amazed that even the Cyberattacker now has a preference of what they want to go after.  It always seemed like to me that whenever or wherever they could find a certain vulnerability or weakness, that they would jump right in.  But it seems like that this is not the case anymore.

As I have written before, the Cyberattacker is now taking their own sweet time to study the profile of their unsuspecting victims, and when the moment is ready, then pounce, but of course in the stealthiest of manners that are possible. 

Once in, they will want to stay in as long as they can going undetected.  The idea is now not to steal everything all at once, but in bits so that the victim does not suspect anything. 

But it only makes sense to target the root level passwords, and those applications that they are used for On Prem.  After all, most organizations that still use this traditional model still for the most part, do not deploy all of the adequate security measures that are needed. 

Although I hate complex passwords, it is also good to see that the IT Security still sees the value in them.  After all, which is easier to break?  ABC or !@AbC#$%?  Obviously, using a Password Manager in this regard will be of great help to remember all of these super long passwords. 

But I am quite surprised to see that the major Cloud providers have such a low favorable rating of the security measures that they employ.  In this regard, I have not heard of too many hacks into Azure or Google recently, but the AWS has been making its wave, but primarily because of the misconfigured S3 buckets that were created on the client end. 

Finally, more details on this very interesting survey can be found here: