Recently I was on a phone call with a security vendor going over pros and cons of their product, I was getting shoveled all the benefits of having a ‘comprehensive’, ‘fully integrated’, ‘inter-operable suite of products’ to ensure my end to end protection. Being in information security I know the Xanadu of such an idea is near impossible to come by from technology alone, yet I continued to allow them to present their dog and pony show. Then they threw out recent examples of major breaches and the companies involved with them. However, when you look at the causes of the most recent breaches they weren’t caused by the failure or lack of security technology but due to simple human error and lack of internal discipline.
I stopped them and replied with “So what?”. The companies invested millions to put their security systems in and they were still breached. Their entire internal data repository exposed over months without anyone knowing about it. “So what?”. Where was the technology to stop that? The answer was that the companies had all the right technologies in place the deeper answer is there is no technology that will stop lazy, internal procedures and over-trusting employees.
The recent breaches happened because there was too much trust around the administrators, too powerful all access control freely given to the engineers in an environment with little or no governance around the administrators’ activity. Your defensive, all-encompassing systems are worthless when you have people with all-access keys to the kingdom running around 24/7. A hacker looking to penetrate a company is going to be exponentially more successful with far less effort trying to social engineer the trusted employees rather than trying to take on the millions of dollars of enterprise class, multi-layered security systems.
Get the master-key and you can walk through the front door unnoticed. It’s that simple.
In the old days when the company’s infrastructure was locked behind impenetrable firewalls, layers of network blocks you could have all-access administrators 24/7. The accounts and privileges could only be used inside. As the world is exploding to a global service model, having internal systems directly connected to the Internet is almost a requirement now. What is happening is the security through obscurity approach of the administrator’s access has not been widely attacked to re-think how access is managed. The Anthem breach, if the reports are accurate, was caused by one to five people with high level access that got those accounts phished or scammed away and the passwords captured. The hackers then used those valid, all-access accounts to access everything the account could. No penetration hacking required.
Here are the things security departments need to address to limit and prevent the administrator and other privileged accounts from being used against them:
- Lock the accounts away. Implement a ‘Use When Needed’ model. If an administrator needs to make a change with a high access account, have them check out the account with an approval. Don’t allow administrators to have the keys 24/7. At each check out, reset the password. When it’s checked in reset the password again and managed by a vault. Very hard if not impossible to use an account when no one knows the password when the account is locked or ‘at rest’.
- Diversify your accounts. Administrators should never have privileged access granted to the same workstation account they use to login to their computer, access email or file shares. Business or day-to-day accounts should never be given elevated access. A person will move through the company, when access is granted to an account and that person’s role changes, more likely then not the high level access will never be stripped. But if the user needs to use another account to perform high access tasks and they move on it’s far easier to block the user from using account then taking permissions away.
- Don’t create ‘God’ accounts and don’t use them. Active Directory Domain Admin accounts should remain only domain admins. One common practice is to grant domain admins access to everything. It doesn’t need server admin rights just as server admins don’t need domain admin rights. Break it down. The accounts should have access for their purpose and at no time does a function require full ‘God’ access.
- Alert on administration account use. Every time a production system is accessed with a privileged account, alert the team. In a perfect world there will be a required change ticket and notification that the work will be done. Alerts will catch when something is being used outside the process.
- If a server does not need Internet access, don’t grant it.
- Privileged accounts should have stricter password policies and be forced to reset as often or more than user’s accounts.
Basically what I am trying to get across is that administrators needs high level access to perform their job but they don’t need to have access to those permissions 24/7. Work with the layers of technology in the environment by creating an equally structured layer of process and governance to not inadvertently open a back tunnel that bypasses everything in the front. Administrators will adopt the process as the business lays out.
Getting to that point will be a challenge as I have always said – “It’s easier to take candy away from a baby than access from an administrator.”
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.