“Humans aren’t the only target for attackers that seek to compromise credentials as their easiest pathway to an organization’s critical data and assets. Humans remain a lucrative and relatively easy target; the average staff member has more than 30 digital identities, and over half have some kind of sensitive access. But software bots – little pieces of code that do repetitive tasks – exist in huge numbers in firms around the world and are also a prime target.
Bots are a major component of digital business. They need information – and access – so they can do what they do. In fact, 68% of non-humans or bots have access to sensitive data and assets, according to the CyberArk 2022 Identity Security Threat Landscape report. And, given that the research also showed that machine identities now outweigh human identities by a factor of 45x on average, and that their credentials are mostly not being properly protected, this is a cause for concern.
Attackers specifically go after bots because they know that in many cases their passwords are not being rotated. They know also that bots are generally over-permissioned, having more access than they need, and are not monitored like human identities for any anomalies. A compromised bot allows an attacker to maintain access and stay there undetected. Even today, we still see bots that backup all servers or domain admin accounts. In some cases, these bots are still using default passwords. A compromise here becomes a ‘game over’ issue for the targeted organization.
Hard-coded passwords and secrets scattered throughout the environment are among the practices that must be eradicated in favour of centralized, robust password management, for both humans and machines.”