The next control in Breaking Down The Critical Security Controls is number 5, Controlled Use of Administrative Privileges. The security controls are ordered in an agreed level of importance and I am surprised this one is not in the top 3. Administrative access is what all hackers are going for, especially in the current state of the Internet. Perimeter defense has improved exponentially over the years, intrusion detection systems are near real time, and encryption is more widely used than before. The accounts that have all the access are what the hackers are going for. The process to get those is far easier, less intrusive, and cheaper than the old style Hollywood hack of the firewalls to break through.
Here’s the control –
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Controlling Administrative access is a multi-tiered approach. The best answer is to bring in a Privilege User Management solution such as CyberArk, Beyond Trust, Thycotic or any other vaulting solution. Those take control of the account themselves and removes the human element from management. When a privileged or elevated access account is required they are ‘checked out’ of the vault, a new password assigned for the duration of use and when the work is done the account is ‘checked in’ and the solution resets the password to something unknown to anyone. If during the duration of use the account is somehow keylogged or compromised the vaulting solution changes the password when the account is returned. You can’t use an account if you don’t know the password (for the most part). In conjunction with mutli-factor authentication on those sensitive systems you have greatly improved your control.
If the budget for a tool like that is not obtainable then I recommend to clients to heavily leverage their SIEM (Security Information Event Manager) solutions to alert the security team any time those accounts are used. Any time those accounts login, password is changed, locked out, look at an alert is immediately sent to a team. In a mature security program no administrative account should be used in a production environment without proper pre-approvals, change control notification, incident tickets or other informative update that the account is to be used.
If you allow your support teams to use Domain Admin account for day-to-day activities and have that much administrative change need in your production environment regularly… good luck to you.
Alert on use.
Approve before use.
Rinse and repeat.
How It Could Be Exploited
This is the easiest path to success for cybercriminals. The biggest examples are the Anthem breach and Target breach. Those two breaches happened when accounts with too much access and too little monitoring (or reaction to monitoring) led to them being used to pull tens of millions of records. As I mentioned before cybercriminals are very much like businesses. They do cost benefit analysis on their efforts. It’s far easier to attempt to social engineer companies, send phishing emails to get credentials, drop payloads with keyloggers that can target thousands of people versus trying to brute force a firewall, scan for system vulnerabilities and spend days or weeks trying to crack encryption.
All they need is that one system admin that uses their personal work account with administrative access to click on the wrong link to try to login to a fake site and give up their passwords. Firewalls, encryption, intrusion detection all ignore people with the access. Get the keys to the kingdom and you can walk around freely with no one paying attention. That is unless you compensate with SIEM alerts, break up the accounts to be more purpose based than user based (one account for user creation, one account for group management, etc…), and deploy multi-factor authentication to require more than a password and smile to access a sensitive area.
PCI is getting smart and is about to make multi-factor mandatory on all PCI storage systems.
Does a bank give the janitor the master key with access to the vault because it’s easier? No, they get the keys to the rooms that need cleaning. Why don’t people look at digital keys the same way?
I know why, because it’s easier and we can all trust the sys. admins to keep them safe… right?
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.