As analysts of the Solar4Rays Cyber Threat Research Center note, in the first half of 2024, in 50% of successful cyber attacks, attackers used compromised accounts of company employees and hacked accounts of contractors and subcontractors (supple chain hip).
Solar inRights experts (the IdM system of Solar Group) found out which factors in infrastructure access management contribute to the exploitation of similar attack vectors. Managers, information security and IT specialists of more than 100 large organizations from the financial and industrial sectors, energy, retail, transport and logistics, medical and pharmaceutical companies took part in the study.
As representatives of more than 40 percent of companies noted, access to information resources of organizations under employee accounts is preserved after dismissal. The most common reason is a lack of coordination between HR and IT departments responsible for managing access to organizations’ digital assets. Therefore, such accounts may exist in corporate information systems for a long time, and terminated employees retain access to the former employer’s digital assets. At the same time, if the company does not implement a procedure for regularly updating the password policy, these accounts most often become an entry point for cybercriminals.
Similarly, more than 40% of companies have difficulty identifying outdated accounts and accumulating excess rights. According to Solar inRights experts, the main reasons are the lack of auditing of user categories, a large number of disparate information systems, shared accounts that hide the real owner, and different mechanisms for providing access to the IT infrastructure.
In 35% of cases, the lack of automation in access management makes it difficult to investigate incidents and obtain information about the credentials of terminated employees. Therefore, companies do not have the ability to promptly respond to potential threats, analyze and mitigate the risks of incidents related to illegitimate access rights.
More than 25% of study participants also noted that existing manual and semi-automated account lockout scripts are ineffective. In practice, even one unlocked privileged account belonging to, for example, a recently fired finance employee, can lead to significant losses and legal consequences.
Technical accounts (TAs) are another vulnerable point in managing access to information systems. They are created for infrastructure management, operation of various IT services. For such TOS, the responsible party is either not defined, or its data is recorded in the documentation for the integration project.
If the company does not have a unified accounting system for those responsible for such types of UAZ, then when an employee is fired, there is almost no chance to determine which accounts he was responsible for. At the same time, logins and passwords can be kept for years in the TUS, if the company does not have requirements for regular password changes. Therefore, the risk of disclosure of data for authentication in information systems, which can be used by cybercriminals, increases.
At the same time, representatives of more than 30% of companies noted that they do not keep a register of technical accounts (TUZ) and responsible persons who are appointed for each TUZ, in a quarter of companies the password policy for technical “alleys” is not developed and is not followed. In more than 50% of cases, companies do not automate processes to transfer responsibility when a user is fired or transferred to another position.
Research participants also noted challenges in managing access for contractors and subcontractors. In more than 40% of cases, companies do not have an up-to-date status on the level of access for an external counterparty, in a third – access is terminated prematurely, and 48% of companies do not have automated processes to revoke authorization and block contractor accounts in the event of contract termination. In almost 15% of cases, companies do not develop and enforce password policies for contractor accounts that have access to information systems.
As respondents noted, one in two companies do not use centralized employee account and access management systems.
“Different processes, lack of automation and, as a result, complex control of UAZ and user authority to IT infrastructure seriously affect the stability of cyber security, create risks that affect the stability of work. Therefore, auditing: to whom, in what volume and for what purposes the company provides its resources is the key to forming a safe working environment. Without automated control of the life cycle of accounts and the level of authority of employees, owners of technical accounts and contractors, the risks of unauthorized access to critical digital assets and customer data increase many times”, – comments Yulia Semenova, head of the department of access rights management to information resources. “Salar”.
The problem of access management becomes even more acute in the context of mergers and acquisitions. On average, in 2023-2024. in Russia, about 400 M&A deals are recorded per year, and this forces companies to systematically deal with authentication, identification and access control issues at all levels. Automated systems allow you to audit the access rights of all employees and contractors of the combined company, and further summarize and structure IS policies based on a comprehensive approach to cyber security.
As Solar inRights experts point out, Russian IdM systems make it possible to prevent or reduce damage from information leaks with a comprehensive approach to cyber security.
For example, when integrated with access control and management systems, they increase the security of information systems and exclude the possibility of using someone else’s accounts. In integration with SIEM (Security information and event management) products that manage security events, the IdM system sends data to SIEM for analysis, prevention and investigation of IS incidents.
The use of SSO (Single Sign-On) technology and multi-factor authentication together with the IdM solution allows you to build a secure login to various services using a single set of credentials. The joint work of IdM and PAM (Privileged Access Management) platforms provides management of privileged users’ access to confidential information, critical business processes and information systems.