Privileged Accounts:

Risks related to privileged accounts can come from both intentional actions and simple mistakes or negligence. From the use of generic accounts to the transfer of malicious files, we’ve identified 6 key risks (non-exhaustive) that organizations face, ranging from common, easily mitigated threats to rare yet complex challenges:

• Generic Accounts: The use of generic accounts presents a significant security risk, as it does not provide the ability to trace access to systems. In the event of a data breach or malicious activity, identifying the source becomes impossible, which encourages such actions.

• Shadow Admin: This refers to an internal administrator or third-party who creates an unauthorized administrator account that is hidden from the system. While the administrator has an official account, they may, either maliciously or unintentionally, create a parallel admin account to expedite their tasks without going through proper authorization channels. These hidden admin accounts are difficult to trace and control, creating a risk of data leakage, as the administrator can use this account to access sensitive data without oversight. Additionally, this unmonitored access could facilitate the spread of ransomware.

• Former Administrator: This scenario involves an administrator who leaves the company but retains knowledge of the credentials used to access the administration network. Even after leaving, they may still have access to critical resources and sensitive data. If they act maliciously, they could steal sensitive information or cause system disruption.

• Connection with a Compromised Device: This risk arises when a third-party maintainer or an administrator connects to the company’s administration network through a workstation that has been compromised. The infected workstation can act as a gateway, spreading ransomware or similar malicious software throughout the administration network.

• Identity Theft (or hijacking): In cases of identity theft or session hijacking, a attacker may gain access to a user’s session either physically or remotely. Alternatively, an attacker might steal the provider’s identity despite the presence of strong authentication mechanisms, allowing them to connect using legitimate credentials. Once logged in, the attacker could carry out malicious actions or steal confidential data.

• Transfer of Infected Files: In this scenario, an administrator, needing to update a server, uses their personal device to connect to the administration network. If they download an update file from the internet and transfer it to the administration network without proper validation, a corrupted file can introduce ransomware or other malicious software to the network, spreading the infection throughout the system.