Security teams have long been aware of the risks associated with service accounts and how they can constitute a major threat to businesses. Although businesses are aware of the risks associated with service accounts, protecting them from malicious actors has not been a priority until recently. As we know from years past, the holiday season is a popular time of year for threat actors to try new tricks to break into an organization’s network.
Now that service accounts have found their way into compliance and regulations conversations and cyber insurance policies, service account security has grabbed the immediate attention of business decision-makers.
Service accounts are a unique type of dedicated non-human accounts that are created by IT admins to execute applications and run automated services, virtual machine instances, and other tasks within an organization’s network. It is common for service accounts to be assigned a high level of privilege similar to that of an administrator user. Service accounts are typically not required to have admin-level access and are given this overprivileged access merely to ensure that operations remain uninterrupted.
Breaches that utilize compromised service accounts continue to be the MO of most attackers because of the immense amount of access they give to things like customer and financial data, as well as critical business resources.
In response to the evolving risks associated with service accounts, during the holiday and year-round, we’re seeing increased regulation and cyber insurance requirements relating to protecting service accounts. Rather than waiting until an organization is forced to secure its service accounts, business leaders need to be proactive and get ahead of rising threats. Here are the best practices for protecting service accounts amid today’s growing threat landscape:
- Conduct regular audits to identify and inventory all service accounts within your network. This determines the purpose and usage of each service account and assesses the permissions and access rights associated with them. Regular audits of the inventory of service accounts will provide businesses with a complete picture of their service accounts and their activities, as well as allow them to identify accounts that are no longer being used. In fact, at Silverfort, we often see more service accounts in their network than our customers think they have, which creates serious security risks.
- Get a baseline of normal activity, habits and usage to understand when there is abnormal activity worthy of a security flag. Take malicious or abnormal activity such as a service account that is designed to only run one automated task a day and then suddenly has over 100 access attempts over two days. This would be a red flag and call for further investigation. When activity is regularly monitored and the correct safeguards are in place, the environment’s hygiene is improved and attacks can be stopped.
- Honor the principle of ‘least privilege’ to reduce access to sprawling service accounts. Recent data shows that access to privileged accounts increases security risks for organizations due to the potential impact of compromise and attackers gaining elevated access. Establish a process for regularly reviewing the requirements and permissions associated with service accounts to ensure they have only the necessary permissions and identify any potential security gaps or unauthorized access rights. As a result, identity and security teams will save themselves from playing catch-up later on and they will be ready to combat security issues when they arise.
- Focus on monitoring and alerting of abnormal or malicious behavior. In order to ensure that the activities of service accounts are monitored and alerted in the event of suspicious activity, organizations should create and apply specific access policies for each service account. Identity protection solutions can help establish baseline behaviors for service accounts and identify deviations that may indicate a compromise.
Compromised service accounts can be the key to opening the door into your network, which provides unprotected access from servers to servers and apps to apps, many of which were created and deployed decades ago in a network when the right security controls were not in place. By implementing a more proactive approach to service account security this holiday season and next year, businesses can fend off the risk of compromised service accounts that are being utilized by malicious actors in their ongoing cyberattacks. Don’t let sophisticated threat actors be a grinch in your season.