Strong passwords are the key to protecting your organization’s accounts – even the ones you’ve forgotten about. Hackers will search for any way to access your environment or steal your data, even exploiting long-forgotten stale or inactive accounts.
Old accounts can easily be overlooked, but they can still offer initial access routes for hackers and provide them with a platform to expand their activities. Every account with access to your infrastructure matters.
Securing test accounts
Testing environments – produced when creating new software or website features, for instance – are tempting targets for hackers.
Criminals can use these accounts to gain easy access to data: for example, genuine customer information used in developing the test environment. They can even exploit the environments as springboards to other, more privileged accounts.
It's true that a hacker can do more damage with an admin or privileged account, but this is no reason for complacency.
When a skilled attacker gains access to any user account with login credentials (even an old test account with very low access privileges) they can use it as a platform to extend their access and escalate their privilege.
They can move horizontally between accounts with similar privilege levels, for instance, or jump vertically to accounts with more privileges, such as IT team accounts or admin accounts.
Test account exploited in Microsoft breach
The potential threat was in full display in January, when Microsoft said its corporate network had been compromised by Russian state hackers. The attackers (identified as Russian state-sponsored actors known as Midnight Blizzard) were able to exfiltrate emails and attached documents.
Microsoft said that only a “very small percentage” of corporate email accounts were accessed, though this did include members of senior leadership and employees in the cybersecurity and legal teams.
The attackers gained entry by using a ‘password spray attack’, a brute force technique that involves trying the same password against multiple accounts. The attack didn’t exploit a Microsoft system or product vulnerability.
Rather, it was as simple as guessing a weak or known breached password on an unused test account. In the words of the software giant, the attackers “used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold”.
This underscores the importance of ensuring the highest levels of protection for all accounts, not just an admin or a privileged account.
It’s vital that organizations avoid weak or default credentials on test accounts; that they decommission test accounts/environments after a PoC; and that test accounts and similar environments are properly segregated.
How to keep all accounts secure with strong passwords
So what steps can you take to protect all your accounts – even inactive environments?
Active Directory auditing: It’s crucial to maintain visibility over unused and inactive accounts, along with other password-related vulnerabilities.
Not sure how many stale accounts are currently hiding in your Active Directory?
Run a read-only scan of your Active Directory environment with Specops Password Auditor. This free tool can audit your domain for stale or inactive accounts, which you can then secure with strong passwords or delete entirely.
Your free exportable report will contain other useful information too. Specops Password Auditor also checks your user accounts and passwords against a list of over 1 billion breached passwords obtained from data breach leaks, letting you know which end users have weak or compromised passwords that could be targeted by hackers.
Multi-factor authentication: MFA is a vital defense against hackers, providing you with extra layers of defense even if a password has been compromised. The more forms of defense you have, the better. This could begin with two-factor authentication – for instance, a password followed by confirmation through a one-time passcode.
However, the strongest MFA goes beyond two steps, perhaps also including a biometric approach, such as a facial scan or a fingerprint.
If MFA is established across your accounts – even test accounts – your security will dramatically improve. However, beware that MFA can still be circumvented, and a breached password is still the most common starting point.
Strengthen password policies: It might seem obvious, but an effective password is a vital first line of defense against hackers. Your password policy should block end users from creating weak passwords that comprise common base terms or keyboard walks like ‘qwerty’ or ‘123456’.
The best approach is to enforce long, unique passwords or passphrases, while also utilizing custom dictionaries that block any terms related to your specific organization and industry.
Specops Password Policy lets you easily set up strong and custom password policies that are compliant. Crucially, the system provides dynamic feedback to users, helping them to create strong passwords that they will actually remember.
Specops Password Policy also continuously blocks over 4 billion unique compromised passwords. The system uses a continuous scan feature to ensure that breached passwords are located daily, not just at password change or reset.
Upgrade your password security across all accounts
There’s no doubt that we face a highly sophisticated range of cybercriminal adversaries, who will exploit any weakness to compromise your system, steal your data, cause financial damage – and destroy your reputation. These criminals embrace new technologies to enable their password spray attacks and other brute force methods.
However, while technology provides new avenues for hackers, it is also the key to building your defenses. With tools like Password Policy and Password Auditor, you can detect vulnerabilities across your accounts – even those you didn’t know existed.
Speak to a Specops expert today about boosting password security across your entire Active Directory.
Sponsored and written by Specops Software.
Comments have been disabled for this article.