Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Enterprises continue to suffer from poor password hygiene and a lack of visibility & control over privileged users

It has been more than a year since I last shared Preempt Inspector statistics. Last time we shared Preempt Inspector statistics we found some alarming numbers. With the end of 2018 approaching, I would like to share with you key findings from Preempt Inspector [a free security tool that has been replaced by the more robust and also free Preempt Lite] to help you focus on the most important security issues you might be facing.

Preempt Inspector – Reminder

Preempt Inspector is a free security posture evaluation tools offered by Preempt. The tool monitors various aspects of password and Active Directory security:

  1. Weak Passwords: We define compromised credentials as passwords that exist in well-known password lists. To test this, we’ve created a password dictionary containing 10M of the most common passwords. In a previous blog, this dictionary was used to crack 35% of breached LinkedIn password hashes.

  2. Shared Passwords: We define shared passwords as passwords that are shared by different users (unless password is extremely weak, two users with the same password could not happen by accident).

  3. Stealthy Admins: We define stealthy admins as user accounts with special permissions over other accounts (e.g., changing a user password, modifying a particular security group) not via AD protected groups, in a way that effectively makes user with permissions equivalent to these of a domain admin. You can get more details regarding stealthy admins here.

  4. Exposed Group Policy Passwords – In the past, it was possible to store passwords in Group Policy Preferences (GPP). However, the passwords stored in the GPP could easily be fetched and decrypted by any user in the network. More details on this issue can be found here.

  5. Password Policy – Preempt Inspector also analyzes the domain password policy and assigns a theoretical strength based on the minimal characters you could set and whether password complexity is required.

Stealthy Admins

Preempt Inspector Findings

Since launching Preempt Inspector, about 600 organizations have downloaded the app. More than 100 organizations have chosen to anonymously share security statistics with us. The data collected includes password statistics from several countries (64% from the US, 18% European) and a healthy mix of small (<100 users), medium (100-1000 users) and large (>1000 users) organizational networks. We have found many interesting and surprising statistics regarding how vulnerable most enterprise networks are to these known and simple security vulnerabilities:

  1.  32% of networks had some exposed passwords (GPP passwords)
    Roughly 1 in 3 enterprise networks have some passwords exposed in GPP for any authenticated user to recover. From our experience, these passwords in some cases are applicable and in many cases belong to administrative account (domain or local).

  2. 72% of networks had at least one stealthy admin detected
    In most networks we scanned, we discovered at least one user granted special permissions not through a protected AD group. One such known account is the MSOL account used for Azure AD Connect. However, in most cases (61%), we found more than just one account with stealthy privileges.
  3. Only 5% of networks had a strong password policy, 23% of networks had a very weak password policy
    In our analysis of password policy we’ve scored each password policy and divided password policies into three groups – low, medium and high. A low score was given to policies that either mandate 7 character passwords or mandate password complexity, a medium score was assigned to policies that mandate less than 10 characters (or 9 characters and complexity). Policies that mandated more than 10 characters or 10 characters and complexity were given a high score. Overall, only 5% had a high password policy, and surprisingly, 23% had a low password policy.  


    Figure 1 – Weak Password by Password Complexity Score

    We have further researched the impact of the password policy and the actual strength of passwords in these enterprises and analyzed how many passwords we were able to crack with each policy applicable. Not surprisingly, the better the password policy is, the less passwords we were able to crack. More interestingly, the difference between low and medium score is lower than between medium and high. For enterprises with medium password policy scores, we were able to crack roughly 10% of the passwords. For enterprises with a high score for password policy, we were able to crack only 0.8% of the passwords. This is a strong indication that at least 10 characters passwords is crucial for password strength.

  4. Overall, 97% of inspected enterprises revealed at least one security issue.
    Perhaps the most alarming finding we can share is that even though our scan contains only known issues, in almost all networks we’ve scanned we’ve found some security issues. In the minority case where no security issues were found, clients only scanned for one issue (Preempt Inspector allows running a subset of inspections).  

  5. Bigger organizations have better security posture.
    We measured the average percentage of users with a weak password (compromised or shared) in each organization size and found that the bigger an organization is, the more secure their passwords are. In large organizations we were able to crack 9% of the passwords, in medium organizations we were able to crack 10% of the passwords and in small organizations we were able to crack 16.78% of the passwords.


    Figure 2 – Weak Password by Organization Size

    This reaffirms our previous research findings.

  6. US-based organizations have best password quality, Europe came in second.
    We divided the data into US-based enterprises (64%), European-based enterprises (18%) and others. The results clearly show that password quality in US and Europe is better than rest of the world with 6.3% of US passwords that were cracked, 12% of Europe passwords, and 18% of the passwords from the rest of the world.


    Figure 3 – Weak Password by location

  7. 30% of enterprises improved security metrics in recurring inspector runs
    Some of the enterprises have used Preempt Inspector more than once over during the last year. In 30% of the enterprises we’ve recorded an improvement in one of the subsequent runs (many organization didn’t run the same analysis in different runs). This is a clear indication of the need to constantly monitor security configuration and posture in your network and how Preempt Inspector can help with that task.

What’s Next for Preempt Inspector?

As cyber threats become more sophisticated, organizations need to take a proactive approach in securing their network. Oftentimes, small and medium organizations suffer the most from the cybersecurity skills gap, and therefore need easy tools to efficiently evaluate their security posture and readiness to face outside cyber threats. 

Note: Marina Simakov contributed to this post 

Topics: Insider Threats, Passwords, Privileged Users, Stealthy Admin,

Posted by Yaron Zinar on December 19, 2018 6:08 AM

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More

Developer

What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More

Events

A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More

Research

10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More