Service Accounts Spark Deep Concern Among Cyber Underwriters.

The cyber attack landscape is constantly changing. But it is up to cyber insurance professionals to remain updated on new vulnerabilities and attack vectors. Let’s consider one of the most recent threat exposures.
Service Accounts

Service accounts are a type of privileged account. Left unmanaged, these accounts can carry several, hidden cyber risks and are a potential threat to the businesses that use them. 

Not familiar with the CCIS program? Read about it here.
Not familiar with the CCIS program? Read about it here.

What are Service Accounts?

To start to answer this question, let’s first take a look at user accounts. These accounts are accessed by a human user, often using an email address and password associated with the account. Access to user accounts is specific to the user and is not shared with anyone else. A user account will have limited permissions (of “privileges”) granted to it, to enable the user to work according to their role. If PAM (Privileged Access Management) and IAM (Identity and Access Management)  have been tightly structured, a cyber threat actor that infiltrates a user account will find it harder for them to quickly move laterally across the business network. We previously discussed the emphasis that insurers are placing on PAM and IAM here

Service accounts are “non-human” accounts (not specific to an individual human user). Service account IDs are associated with applications or virtual machines. Whilst there is an email address assigned to a service account, these accounts can only be authenticated with a long, complex key rather than a password, and login can not be completed via a browser. 

Used widely throughout an organization’s operating systems, they execute vital, automated business activities and other processes on behalf of a user account. Since they perform specific tasks, they typically have more privileges than a “normal”, human user and therefore are granted greater access to business-critical applications and data. 

Service accounts are typically managed by a Windows Active Directory. 

Active Directory: a commonly-used structure that stores and organizes data and that enables control over user access to that data. Limiting account privileges and securing service accounts is therefore crucial for this network structure. 

Service accounts often sit on a AD system.
Service accounts often sit on a AD system.

For example, an email may be sent from a human account, but several service accounts will be involved in additional background processes such as working out how to get the email to its recipient (these service accounts are called MTAs or mail transport agents), testing the email address accuracy, and scanning the email for any viruses. Another example of a service account function includes HTTPS requests on web servers, which enables everyday users to surf the internet.

Service Accounts vs User Accounts
Service Accounts vs User Accounts

Why are Service Accounts Vulnerable to Cyber Attacks?

Service accounts are often poorly managed, especially in SMBs that use Active Directory, since, the number of service accounts that these companies typically have makes them more time-intensive and costly for smaller IT teams to monitor on a manual basis. As a result, mismanaged service accounts can widen a business’ digital attack surface and makes it ripe for exploitation.

Overwhelming reach across business operations

With so many service accounts sprawling over an organizational network, any changes to them carry immense business disruption risk. In some instances, it can be difficult to identify which of the service accounts is connected to which vital business programs, apps, and processes that the business depends on. There is therefore a risk that making changes to a service account will bring down other applications in a business network.

Lax least privilege policies

Service accounts are often built with a high level of access permissions, more commonly described in the cyber field as ‘privileges’. This can lead to unnecessary privileges and means that a single breached service account could have a wide-ranging impact across an entire business network. 

Privileged accounts: a user account that has fewer limitations on what it can or cannot do in a system such as installing or removing software, or changing configurations of a system or applications. In other words, it has greater privileges than ordinary user accounts.

For example, IT teams can allocate permissions that allow users to:

  • Modify: view and amend files and file properties (such as deleting and adding files to a directory).  
  • Read: view files and their properties.
  • Write: write to a file.
  • Full Control: read, modify, add, move, and delete files and their properties; change permissions settings for all files.

Authentication security

The complexities associated with changing passwords and usernames for service accounts add to their vulnerability. Due to the broad reach of service accounts across a business network, authentication details are often left unchanged; IT teams will want to avoid unplanned downtime where a change in username and password combination prevents a service account from interacting with the multiple processes or applications relying on it.

Multifactor authentication (MFA) also creates some difficulties for IT teams, given that service accounts are not operated by human users.

The Problem with Privileged Accounts

A study estimated that 80% of recent high-profile breaches were achieved through compromised privileged accounts. 

Privileged accounts are often poorly managed.
Privileged accounts are often poorly managed.

This has become such a widespread attack vector for a number of reasons. Firstly, it has become extremely common for any business operating with some form of technology to have some unknown or unprivileged accounts. Secondly, privileged accounts are often mismanaged and therefore left open to cyber intruders. 

For example, Domain Administrators are rarely deleted on a routine basis and yet they sit in an Active Directory with high default privileges. This is a problem because every user that has access to these types of accounts grows the attack surface available for a threat actor. They are a gold mine for cyber hackers, who will look for Domain Admins which have been left unmanaged to infiltrate a network, move across it with relative ease using the high privileges afforded to the account and execute almost any activity. 

Are your insureds still not sensing the urgency? Here are some numbers to shock them into action:

What Should Cyber Insurance Professionals Look Out For in Service Accounts?

This developing cyber risk should concern all insurance professionals, but cyber underwriters must be especially aware of the implications that poorly-managed service accounts could have on a policy. 

We’ve gathered some suggestions on how to tackle this issue:

Quantity and quality – check the volume of service accounts associated with the insured and delve into the privileges granted to these accounts. Accounts that are part of a domain admin group and which contain all accounts with full permissions to perform any task in that environment should set off alarm bells. 

Improved cyber hygiene practices – questions to ask your insured:

  • How often do they audit the number of their service accounts? How often do they audit the privileges associated with these accounts? 
  • Which accounts are still in use? How many are there? 
  • Has the insured clearly mapped out which of the programs, applications, or system tasks rely on each of the service accounts? 
  • What is their password policy? The best practice would be to rotate passwords to ensure that these are regularly updated and are complex enough to prevent a brute-force attack. 
  • What Windows server settings have the insured enabled? They should be denying interactive login to prevent service account login credentials from being used on a human login screen with a keyboard and mouse. 
  • Implementing Privileged Access Management (PAM). This is now a minimum requirement for cyber policy applications. You can read more about PAM here

Service accounts best practices

Service accounts pose a major risk to businesses, jeopardizing major business interruptions and the expensive costs that come with them. The key to tackling emerging cyber threats is to be on top of them with updated industry knowledge and understanding. In a hardening market, cyber insurance professionals are more pressed than ever before to ensure that they handle their insureds with precision and confidence. This can only be achieved through robust cyber training and continuing professional development which refreshes and evolves with the market itself.

We make cyber simple for insurance professionals through interactive, accredited courses, a thriving community of cyber insurance pros and a range of Continuing Professional Development activities. Click here to sign up for a recording of one of our latest Masterclasses on Parametric Cyber Insurance.

Copyright © 2022 Cyber Insurance Academy | Registered as Cyber Advisory Excellence | Rothschild Blvd 45, Tel-Aviv | +972 5290594 Designed and built by Studio Praktik