“Identity is the number one security concern.” Tim Nursall, Field Engineer at Illusive spoke at Infosecurity Europe last week on identity risk and the Analysing Identity Risks Report.
So, what is identity risk? With the migration of networks to the cloud and the overall shift towards remote work and off-premises devices, the historically understood network perimeter has changed entirely. Through endpoint vulnerabilities and privileged credentials, attackers can now breach a system through a multitude of doors.
The Analysing Identity Risks (AIR) report, presented by Tim Nursall of Illusive Networks, elucidates the patterns and security weaknesses of companies as they pertain to identity risks. These are, in fact, more common than one might imagine!
Nursall explained the danger of identity risk through data collected for this report. It was found that 100% of Illusive audits showed privileged identity risks and that one out of six endpoints and servers have exploitative identity risks. Additionally, the audits determined that 87% of local administrators remained unenrolled in privileged account management solutions and that 55% of exposed privileged identity credentials were stored in browsers. Easily accessible browsers.
And what about passwords? According to the Illusive audits, 62% of local administrator passwords had remained unchanged for more than one year, 17% for more than five years, and 1% for over ten years. Ten!
There is also a trend towards the misconfiguration of privileged identity access in companies that AIR has analysed. 40% of shadow administration risks can be exploited in one single step, and 13% of shadow admin still have domain administration privileges. Why, Illusive might ask its clients, does a general employee who, years ago, set up the company website, still have enough privileged access to take down the domain entirely?
While yes, Nursall said, it is important to scan for risks and vulnerabilities of the network itself, it is just as important (perhaps even more so) to recognise those identity risks in the organisation. Without protecting against identity risks, a vulnerability management program is overall ineffective. This is because all organisations have identity risks, and all organisations must continually focus on discovering and remediating them. And it doesn’t just stop there: Illusive helps its clients create a management program for keeping identity risk away, permanently.