{"id":3158,"date":"2024-04-17T17:34:22","date_gmt":"2024-04-17T22:34:22","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/for-service-accounts-accountability-is-key-to-security"},"modified":"2024-04-17T17:34:22","modified_gmt":"2024-04-17T22:34:22","slug":"for-service-accounts-accountability-is-key-to-security","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/17\/for-service-accounts-accountability-is-key-to-security\/","title":{"rendered":"For Service Accounts, Accountability Is Key to Security"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span>
Over my 32 years in cybersecurity, one painful constant has been managing the risks associated with network service accounts.<\/span><\/p>\n

Service accounts are supposed to be machine-to-machine accounts that perform repetitive and automated scheduled tasks without human interaction. Common examples of service accounts include running applications on operating systems, databases, automated backups, and network maintenance. They should have extremely limited access rights, disallow human interaction, and only perform their intended function.<\/span><\/p>\n

Rare is the management model that addresses service account concerns adequately from a security perspective. Best practices reduce the ability of threat actors to use such accounts to move laterally within the enterprise, undetected by our monitoring systems.<\/span><\/p>\n

Trouble Points of Service Accounts<\/h2>\n

Every organization has service accounts. Every organization would also like to have fewer accounts and better monitoring and control for the accounts they must have. Threat actors understand the <\/span>security risks of service accounts<\/a><\/span> and take advantage.<\/span><\/p>\n

Lack of visibility.<\/span><\/span> Service accounts can have complex dependencies in processes, applications, database structures, and programmatic systems. These accounts can be exceedingly difficult, if not impossible, to monitor and properly secure.<\/span><\/p>\n

Difficulty in monitoring.<\/span><\/span> Since service accounts are not typically associated with a specific person, monitoring the logs can cause confusion and complicate incident investigations. This can result in networks being exposed to threat actor actions and lateral movements, while the malicious actors remain completely undetected as they move around in the network.<\/span><\/p>\n

Complicated nature of evictions.<\/span><\/span> If threat actors breach your network and you need to evict them, every single password must be changed over a brief period, some more than once. This is when service accounts can really become burdensome and complicated. To commit to an eviction, you must change every single service account password. If you do not have a good inventory and understand the functionality of all service accounts, you should not attempt an eviction. In such a case, the few service accounts you could not change will probably be used by the threat actors.<\/span><\/p>\n

Common Gaps in Knowledge<\/h2>\n

Many times, over the years, during an incident response engagement, I saw these tendencies organizations had with regard to service accounts:<\/span><\/p>\n

\n