Updated: Feb 23
Detecting and remediating identity misconfigurations and blind spots is critical to an organization's identity security posture, especially as identity has become the new perimeter and a key pillar of Zero Trust programs. In this article, we will explore what identity blind spots and misconfigurations are, detail why finding them is essential, and lay out the top seven to avoid.
In the domain of identity security, “identity misconfigurations” and “identity blind spots” stand out as critical concerns that undermine an organization’s identity security posture. An identity misconfiguration occurs when identity infrastructure and systems are not configured correctly due to administrative error or configuration drift.
Configuration drift in this context refers to the gradual divergence of an organization's identity and access controls from their intended state, often due to unsanctioned changes or updates, leading to inconsistencies that can compromise an organization’s identity security posture. Identity blind spots are risks that are overlooked or not monitored by an organization’s existing identity controls, leaving undetected risks that threat actors could exploit.
Traditionally, security measures focused on fortifying an organization’s network perimeter by building higher “walls” around its IT resources. However, the network perimeter has become less relevant with the adoption of cloud computing, SaaS services, and hybrid work. In this new landscape, full visibility and control of the activities of both human and machine identities is crucial for mitigating cyber threats.
The need to secure identities is validated by research and multiple real-world incidents where a compromised identity served as the attacker’s initial entry point. The Identity Defined Security Alliance’s most recent research found that 90% of organizations surveyed have experienced at least one identity-based attack in the past year.
Verizon’s 2023 Data Breaches Investigations Report (DBIR), based on their analysis of 16,312 security incidents and 5,199 confirmed breaches, found that over 50% of initial access methods used by attackers involved stolen credentials and phishing, both of which are identity-related. Specifically, for basic web application attacks, Verizon found that stolen credentials played a role in 86% of the breaches.
One notable recent example of an identity-based attack is the Midnight Blizzard attack disclosed in January 2024. Based on what has been published about the attack, the malicious actors carried out a password spray attack to compromise a legacy non-production test tenant account. Once they gained a foothold through a valid account, they used its permissions to access a small percentage of the company’s corporate email user accounts. They could then exfiltrate sensitive information, including emails and attached documents.
To stay one step ahead of identity-related attacks, identity and security teams should proactively improve their identity security posture by finding and remediating these common identity misconfigurations and blind spots.
1-Missing multi-factor authentication (MFA)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) consistently urges organizations to implement MFA for all users and all services to prevent unauthorized access. Yet, achieving this goal can prove challenging in the real world. The complexity lies in configuring multiple identity systems, such as an organization’s Identity Provider and MFA system, along with hundreds of applications’ settings to enforce MFA for thousands of users and groups. When not configured correctly, what can happen is a scenario where MFA is not enforced due to accidental omission or gaps in session management.
2-Password hygiene
Effective password hygiene is crucial to an organization’s identity security posture, but common identity misconfigurations frequently undermine password quality and increase the risk of data breaches. Allowing weak or commonly used passwords facilitates unauthorized access through simple guessing or brute force attacks.
Strong but default passwords can make password spray attacks easier. Using outdated password hash algorithms like SHA-1, MD4, MD5, RC2, or RC4, which can be quickly decoded, further exposes user credentials. Additionally, inadequate salting of passwords weakens their defense against dictionary and rainbow table attacks, making them easier to compromise.
3-Bypass of critical identity and security systems
Organizations deploy Privileged Access Management (PAM) systems to control and monitor access to privileged accounts, such as domain administrator and admin-level application accounts. PAM systems provide an extra layer of security by storing the credentials to privileged accounts in a secure vault and brokering access to protected systems via a proxy server or bastion host.
Unfortunately, PAM controls can be bypassed by resourceful admins or threat actors if not configured correctly, significantly reducing the protection they should provide. A similar problem can occur when users bypass zero trust network access (ZTNA) systems due to initial configuration issues or configuration drift over time.
4-Shadow access
Shadow access is a common blind spot in an organization’s identity security posture that can be difficult for organizations to discover and correct. Shadow access is when a user retains unmanaged access via a local account to an application or service for convenience or to speed up troubleshooting. Local accounts typically rely on static credentials, lack proper documentation, and are at higher risk of unauthorized access. A local account with high privileges such as a super admin account is especially problematic.
5-Shadow assets
Shadow assets are a subset of Shadow IT and represent a significant blind spot in identity security. Shadow assets are applications or services within the network that are "unknown" to Active Directory or any other Identity Provider. This means that their existence and access are not documented or controlled by an organization’s identity systems, and these assets are only accessed by local accounts. Without integration into Active Directory or any other Identity Provider, these assets do not adhere to an organization's established authentication and authorization frameworks, making enforcing security measures such as access controls, user authentication, and compliance checks challenging. Consequently, shadow assets can inadvertently become gateways for unauthorized access.
6-Shadow identity systems
Shadow identity systems are unauthorized identity systems that could fall under shadow assets but are called out separately given the risk they pose to an organization’s identity security posture. The most common shadow identity system is the use of unapproved password managers.
Given the scope of their role, software development teams can take things further by implementing unsanctioned secret management tools to secure application credentials and even standing up their own Identity Providers. Another risky behavior is when developers duplicate Active Directory for testing or migration purposes but neglect proper disposal, exposing sensitive employee information, group policies, and password hashes.
7-Forgotten service accounts
A service account is a type of machine identity that can perform various actions depending on its permissions. This could include running applications, automating services, managing virtual machine instances, making authorized API calls, and accessing resources. When service accounts are no longer in active use but remain unmonitored with permissions intact, they become prime targets for exploitation. Attackers can leverage these forgotten service accounts to gain unauthorized access, potentially leading to data breaches, service disruptions, and compromised systems – all under the radar of traditional identity security measures.
Identity and access management (IAM) systems such as Active Directory, Identity Providers, and PAM typically offer limited capabilities to find identity misconfigurations and blind spots that lead to a poor identity security posture. These identity security solutions typically don’t collect the necessary telemetry to identify these issues, which requires collecting and correlating data from multiple sources, including identity system log data, network traffic, cloud traffic, and remote access logs.
That is why identity and security teams implement identity security posture management (ISPM) solutions such as AuthMind to discover and remediate identity exposures before an attacker can exploit them. AuthMind can protect all your identities and identity fabric by leveraging logs already in your SIEM or deploying AuthMind sensors. AuthMind delivers fast time to value with unmatched visibility into identity activities in the first hours after deployment.
Book a meeting with AuthMind to learn more!