Reducing Local Account Risks with ISPM

CISA published its Cyber Security Performance Goals (CPGs) in late 2022, aimed at providing businesses with a foundational framework upon which to anchor their security initiatives. Recognizing the formidable challenges inherent in constructing and managing a robust security program, many organizations grapple with complexity and uncertainty. The CPGs offer businesses with a structured baseline to adopt as a starting point.  As one would expect, CPGs establish a number of recommended identity and access management (IAM) best practices that should be adopted, including: 

• Change default passwords

• Enforce minimum password strength

• Use unique credentials

• Revoke credentials for departing employees

• Separate user and privileged accounts

• Detect unsuccessful (automated) login attempts

• Deploy phishing-resistant multi-factor authentication (MFA)

The reality is that organizations adhering to these basic security goals often overlook a critical identity blind spot: the proliferation of "local accounts" within their networks. These accounts, which operate outside standardized identity management practices and tools, are unlikely to comply with any of these CPGs.

Local accounts can be created by various sources, including software installations, employees (likely now ex-employees), and developers, often serving as convenient shortcuts to expedite system access or troubleshooting. However, they frequently rely on weak, static credentials, are rarely documented, and are prime to be exploited by a threat actor. Even more concerning is the prevalence of local accounts with root or administrative privileges - which in our experience is very common. 

Local accounts are commonly found in 3 main areas:

1. Shadow Assets. Shadow assets are applications or services within the network that are "unknown" to Active Directory or any other Identity Provider, meaning their existence and access are not documented or controlled by an organization’s identity systems and all identities are local accounts. While some assets may be inherently unmanageable due to technical limitations, shadow assets frequently emerge from either oversight of the asset by IT or a misconfigurations that disconnected the asset’s connection to a central identity service.

2. Shadow Access. A second common situation is an asset / application that has been configured to use an Identity Provider or Active Directory, but one-off local accounts still remain. Manually identifying these can be exceptionally challenging, as the only way to find these local accounts would be to go digging into each application's configuration settings.

3. Shadow SaaS. Another common place to find local accounts are shadow SaaS applications. These are SaaS applications that have not been configured to use the corporate IdP and are not accessed via single sign on (SSO). This creates security risks since an exposure of credentials could easily result in unauthorized access to the SaaS application. Additionally, this often leads to oversight in deactivating accounts of former employees, potentially allowing unauthorized access to sensitive information long after their departure.

Identity and security teams can’t manage what they don’t know and threat actors are hoping organizations don’t start to find and eliminate these local accounts.  Identifying these accounts is pivotal to improving an organization’s identity security posture but is daunting; it involves scrutinizing each system and the applications that operate on them across the enterprise to ensure no local accounts are lurking—a task that is both exhaustive and often deemed impossible by most.

To enable IT to reconfigure or remediate these local accounts efficiently, details like who is actually authenticating to the asset and from where is extremely helpful – yet can also be difficult to chase down manually. That is why organization’s are adopting platforms like AuthMind that deliver identity security posture management (ISPM) to streamline the process of discovering local accounts.

AuthMind’s platform fuses identity authentications with actual user and system accesses to deliver comprehensive visibility into identity access activities, including the usage of local accounts.  

AuthMind’s patented approach literally watches all accesses to all systems at the network layer in real-time and cross-correlates these accesses against the Active Directory or IdP to validate whether there was an actual authentication or not to the identity infrastructure.  And the good news is that AuthMind can deliver this visibility to local accounts without the use of agents by leveraging logs already or in a SIEM system, or by deploying AuthMind sensors.

AuthMind’s visibility to identity access activities immediately highlights local accounts by the hundreds (or in our experience with many large enterprises, even by the thousands) enabling teams to start to identify the high risk / most accessed systems with local accounts that need to be replaced with managed  accounts or require implementing other mitigating security controls to protect these risky accounts.  

This includes accounts on unmanaged or shadow assets that are not documented in conventional CMDBs or management tools, offering a comprehensive view of the enterprise's identity security posture and significantly mitigating risks associated with these hidden accounts.

AuthMind also provides teams with single click details on who exactly is accessing the local accounts and from where. This enables identities teams to quickly understand who in the business is leveraging an asset so they can follow-up to confirm ownership and take mitigating steps to reconfigure the asset to use an authorized IdP.

These scenarios underscore the power of AuthMind's comprehensive identity activity visibility in revealing local accounts across both enterprise systems and SaaS applications utilized by the organization. Armed with this knowledge, organizations can efficiently take steps to minimize the presence of local accounts and improve their identity security posture, thereby decreasing the potential avenues through which threat actors could exploit these identity blind spots.