Service accounts are a type of privileged account. Left unmanaged, these accounts can carry several, hidden cyber risks and are a potential threat to the businesses that use them.
What are Service Accounts?
To start to answer this question, let’s first take a look at user accounts. These accounts are accessed by a human user, often using an email address and password associated with the account. Access to user accounts is specific to the user and is not shared with anyone else. A user account will have limited permissions (of “privileges”) granted to it, to enable the user to work according to their role. If PAM (Privileged Access Management) and IAM (Identity and Access Management) have been tightly structured, a cyber threat actor that infiltrates a user account will find it harder to quickly move laterally across the business network. We previously discussed the emphasis that insurers are placing on PAM and IAM here.
Service accounts are “non-human” accounts (not specific to an individual human user). Service account IDs are associated with applications or virtual machines. Whilst there is an email address assigned to a service account, these accounts can only be authenticated with a long, complex key rather than a password, and login can not be completed via a browser.
Used widely throughout an organization’s operating systems, they execute vital, automated business activities and other processes on behalf of a user account. Since they perform specific tasks, they typically have more privileges than a “normal”, human user. Therefore, service accounts are granted greater access to business-critical applications and data.
Service accounts are typically managed by a Windows Active Directory.
Active Directory: a commonly-used structure that stores and organizes data and that enables control over user access to that data. Limiting account privileges and securing service accounts is therefore crucial for this network structure.
For example, an email may be sent from a human account, but several service accounts will be involved in additional background processes such as working out how to get the email to its recipient (these service accounts are called MTAs or mail transport agents), testing the email address accuracy, and scanning the email for any viruses. Another example of a service account function includes HTTPS requests on web servers, which enables everyday users to surf the internet.
Why are Service Accounts Vulnerable to Cyber Attacks?
Service accounts are often poorly managed, especially in SMBs that use Active Directory. This is because the number of service accounts that these companies typically have makes them more time-intensive and costly for smaller IT teams to monitor manually. As a result, mismanaged service accounts can widen a business’ digital attack surface and makes it ripe for exploitation.
Overwhelming reach across business operations
With so many service accounts sprawling over an organizational network, any changes to them carry immense business disruption risk. In some instances, it can be difficult to identify which of the service accounts is connected to which vital business programs, apps, and processes that the business depends on. Therefore making changes to a service account can risk bringing down other applications in a business network.
Lax least privilege policies
Service accounts are often built with a high level of access permissions, more commonly described in the cyber field as ‘privileges’. This can lead to unnecessary privileges and means that a single breached service account could have a wide-ranging impact across an entire business network.
Privileged accounts: a user account that has fewer limitations on what it can or cannot do in a system such as installing or removing software, or changing configurations of a system or applications. In other words, it has greater privileges than ordinary user accounts.
For example, IT teams can allocate permissions that allow users to:
- Modify: view and amend files and file properties (such as deleting and adding files to a directory).
- Read: view files and their properties.
- Write: write to a file.
- Full Control: read, modify, add, move, and delete files and their properties; change permissions settings for all files.
The complexities associated with changing passwords and usernames for service accounts add to their vulnerability. Due to the broad reach of service accounts across a business network, authentication details are often left unchanged. IT teams will want to avoid unplanned downtime where a change in username and password combination prevents a service account from interacting with the multiple processes or applications relying on it.
Multifactor authentication (MFA) also creates some difficulties for IT teams, given that service accounts are not operated by human users.
The Problem with Privileged Accounts
A study estimated that 80% of recent high-profile breaches were achieved through compromised privileged accounts.
This has become such a widespread attack vector for a number of reasons. Firstly, it has become extremely common for any business operating with some form of technology to have some unknown or unprivileged accounts. Secondly, privileged accounts are often mismanaged and therefore left open to cyber intruders.
For example, Domain Administrators are rarely deleted on a routine basis. However, they sit in an Active Directory with high default privileges. This is a problem because every user that has access to these types of accounts grows the attack surface available for a threat actor. They are a gold mine for cyber hackers, who will look for Domain Admins which have been left unmanaged to infiltrate a network, move across it with relative ease using the high privileges afforded to the account and execute almost any activity.
Are your insureds still not sensing the urgency? Here are some numbers to shock them into action:
What Should Cyber Insurance Professionals Look Out For in Service Accounts?
Cyber underwriters must be especially aware of the implications that poorly-managed service accounts could have on a policy. Overall, cyber carriers typically require service accounts to be itemized in an inventory, to be SOC–monitored, and to be protected against credential harvesting.
Quantity and quality
Check the volume of service accounts associated with the insured and delve into the privileges granted to these accounts. Concern arises where a domain admin group contains all accounts with full permissions to perform any task in that environment.
Improved cyber hygiene practices
Questions to ask your insured:
- How often do they audit the number of their service accounts? How often do they audit the privileges associated with these accounts?
- Which accounts are still in use? How many are there?
- Has the insured clearly mapped out which of the programs, applications, or system tasks rely on each of the service accounts?
- What is their password policy? The best practice would be to rotate passwords to ensure that these are regularly updated and are complex enough to prevent a brute-force attack.
- What Windows server settings have the insured enabled? They should be denying interactive login to prevent service account login credentials from being used on a human login screen with a keyboard and mouse.
- Implementing Privileged Access Management (PAM). This is now a minimum requirement for cyber policy applications. You can read more about PAM here.
In conclusion, service accounts pose a risk business interruptions and the expenses that follow. The key to tackling emerging cyber threats is to be on top of them with updated industry knowledge and understanding. In a hardening market, cyber insurance professionals are more pressed than ever before to ensure that they handle their insureds with precision and confidence. This can only be achieved through robust cyber training and continuing education which refreshes and evolves with the market itself.
Give Yourself The
Our CCIS certification is a mark of excellence that employers and recruiters want to see.