The most well-known type of system credential is the administrative, or root password. These types of accounts are “administrators,” meaning they usually have total access to whatever system they are for. Administrator accounts are used by your IT staff or contractors to manage the basic operations of a system. These operational tasks could include maintenance, data migrations, and other common IT work that requires elevated access beyond normal business use. Your servers, routers, applications, cloud services— nearly every technology product or service has an administrative password.
How Administrative Passwords Can Be Misused
Administrative credentials are very powerful. Exposing them can even make malware unnecessary. These credentials are the keys to the kingdom, and their exposure can be catastrophic, as it gives anyone who finds them total control over the respective systems and consequently, whatever data is on them.
In practice, administrative accounts are used all the time to perform basic operations, even when they shouldn’t. Services run under admin accounts, applications are written with admin account details hardcoded in plain text. This type of usage not only makes these services and applications risky, but also adds risk to everything else that administrative account has access to.
How To Securely Manage Administrative Passwords
So we know that the way administrative passwords are used is often not ideal. Best practices include:
- Limiting the use of administrative accounts, and if possible, using multi-factor authentication (MFA) or other mechanisms to prevent a password leak alone from compromising the account. NotPetya, one of the most damaging malware attacks of all time, extracted admin credentials and used them to wreak havoc.
- Combined with MFA, using an identity-management solution to know who has access to administrative passwords, locking down their access and creating a more verifiable audit trail in case a leak does occur.
- Where administrative accounts must be used, implementing the principle of least privilege, meaning that functions should run with only as much authority and access as they need to perform their jobs.
The principle of least privilege is designed to quarantine compromised accounts to as small a footprint as possible. For example, if an application is running under an account that has access to the application and nothing else, an attacker who compromises that account can access the application and that’s all. On the other hand, if that same application is running under a domain administrator, a compromised account not only grants access to the application, but to the entire domain and all of the domain services. This allows an attacker to plant even more nefarious exploits in the form of malware, which can lead to a far larger breach.
Vendor Risk From Poorly Secured Administrative Passwords
You should apply these management principles to your own people, processes and systems. You should equally consider how your third-party vendors use administrative passwords. You could be exposed to risk by your vendors in the following ways:
- Your vendors leaking their administrative passwords, exposing access to their systems.
- Your vendors leaking your administrative passwords, exposing access to your systems.
You should ensure that your third-party vendors are applying appropriate controls, and that you monitor them in case of a degradation in their security posture, or a breach. Otherwise your risk is as good as their risk.
Administrative passwords are just one type of data leak we often see caused by third-party vendors.
This article is part of a series. Read more articles in the series at Vendor Risk: The Impact Of Data Leaks From Your Third-Party Vendors.
If you're interested in learning more about UpGuard's solutions to managing third-party risk, sign up for a free demo: