How to secure Sacco’s IT Administrator Accounts – ‘Keys to Heaven’
Cyber Criminals are targeting privileged accountsYelbridges RedTeam – 2021
Cybercrime is increasing, especially in the financial sector – Banks, Micro Finance Banks (MFB), and Saccos. The high increase in cyber fraud in the industry, especially in the year 2021, is attributed to the Covid-19 pandemic, which has led to the loss of jobs, exponential digitization as a measure to curb the spread of the virus and Work from Home, which has extended the cyber threat landscape for most organizations.
Yelbridges Limited has picked a new worrying trend from the cyber incidents that we have been investigating in the Sacco sub-sector. A key component in almost all cases involve privilege escalation – an attempt to compromise a system account, then expand the attacker’s privileges, either by gaining control of more accounts or increasing the privilege level of the compromised account.
The cyber-criminal of the day targets privileged accounts such as the Administrator (Admin) account and then uses the account to create a new account and assign it Administrator rights. Once successful, the attacker then uses the new Admin account to lockout existing Administrators by changing passwords or disabling the accounts.
The attacker has a guarantee that even if existing administrators detect their activity, they are helpless, and therefore, the criminal can continue to perform unauthorized transactions without interruptions.
Secondly, using the Admin account created, they manipulate records on the database or deploy scripts that will initiate fraudulent transactions to various platforms.
Lastly, the attacker clears their traces by deleting logs from the systems that they compromised. In the cyber criminal’s game plan, it’s paramount for them to have administrator access to perform all the activities as mentioned earlier.
Keys to Heaven
The cybercriminal targets these accounts because the Administrator accounts are used to manage and control critical servers, services, databases, and the entire Sacco IT infrastructure. Once the attacker has access to the Administrator account, they fully control the SACCO environment. In addition, they can bypass some security controls implemented because some Admin accounts have full privilege access to the system.
How to protect against privilege access attacks?
Given that privileged accounts are prime targets for attackers, IT teams within the SACCOs should implement Privileged Access Management (PAM) to enhance security and prevent compromise of the accounts.
- Discover all your privileged accounts – Carry out an inventory of all Administrator accounts, including Service Accounts, Local Admins, Default Accounts, etc.
- Protect and manage privileged accounts credentials, i.e., Passwords. This is probably one of the highest risks in the SACCO sector. Administrator password sharing between the SACCO and vendors or even internally the Administrator password is used by more than one individual. SACCO’s should implement Password Policies and, where possible, enhance security with Multi-Factor Authentication (MFA). Remember also to change default passwords on all new systems.
- Control and monitor privileged access and activity on all systems. 24/7 monitoring of Administrator activities should be implemented to enable the IT team to detect unusual access or activity.
- Use real-time privileged accounts analytics to detect and respond to in-progress attacks. Time is of the essence in cybersecurity, hence the need to have the ability to respond to incidents promptly to reduce the loss.
- Ensure that a full cyber risk assessment is conducted and the security holes are plugged in rapidly.
Who is watching the watchman?
IT teams need to have visibility of the entire SACCO IT ecosystem to implement cyber defense controls that will keep attackers at bay. Yelbridges Managed Security service offered enhances the centralization of events/activities, providing the IT teams with real-time intelligence on what is happening, where it is happening, and which user accounts are being utilized. This data is critical for the SACCOs to proactively respond to cyber incidents and reduce the loss that is associated with cyber incidents.
Privileged accounts can’t be eliminated in our IT environments, but controls can be put in place to prevent account abuse.
Continuous monitoring of the privileged account can detect and prevent the cyber-fraud incidents that we are experiencing today in the SACCO sector.