avoiding the five pitfalls of privileged accounts
TRANSCRIPT
FEATURE
12Network Security May 2013
Privileged accounts grant access to sensitive data and configuration settings of your IT system. They’re rarely changed in most organisations, yet they’re known to nearly everyone. They don’t have the same level of accountability and auditing you get with normal user logins. They’re unlikely to be managed by existing Identity and Access Management
(IAM) systems and, contrary to their description, they are rarely just in the hands of the privileged few – they end up in the hands of many, many layers of staff. In other words – privileged accounts are found virtually everywhere, which is ironic because they are the most powerful logins on your network and can cause you the biggest headaches.
You will find them on every server and workstation platform, on networking and datacentre appliances – from routers and switches, to load balancers and security appliances – and on almost every type of software you can name, including line-of-business applications, web services, databases and middleware. It’s easy to see why regulators want them controlled. But, perhaps more importantly, that’s the reason organisations need to get control of these deadly accounts.
The audit traps likely to trip you upIn recent years we have witnessed more and more organisations fail to
Jane Grafton
Avoiding the five pitfalls of privileged accounts
email, IM and HTTP should be banned. The same goes for storage of non-public data on unencrypted media. From experience it is easier to maintain a policy where everything is encrypted on hard drives, laptops and USB sticks rather than leaving the evaluation of the data and situation to the employee.”
“The transmission of non-public data over insecure channels such as unencrypted email, IM and HTTP should be banned. The same goes for storage of non-public data on unencrypted media”
A balancing actSpencer Lynch, a director of digital forensics with digital risk
management and investigations company Stroz Friedberg, has seen institutions where very sensitive information, such as financial and medical information, is stored in encrypted databases with robust security, but when sent between departments it is copied and pasted directly into unprotected emails.
“Limiting encryption to data at rest is of little value if there will constantly be unencrypted versions in transit circulating through the organisation for an attacker to steal,” he says. “It is a delicate balance to make sure that data is available and usable to a business that needs it, while unusable for an attacker who might get access to it. If security prevents the business from operating efficiently, it may even be more damaging than having the data breached.”
Of course, weak network security isn’t solved by strong data protection and network security and data security are not mutually exclusive solutions for the same problem.
Tokuyoshi at Palo Alto Networks asks: “How much data can be protected in absence of strong network security? Can organisations expect that 100% of the required data to protect is encrypted? Network security and data protection work in conjunction with each other and we should not forsake the role of strengthening the perimeter as an important measure towards making data safer.”
About the authorTracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.
Jane Grafton, Lieberman Software
It is a rather human truth that when we hand out privileges they often get abused. Whether you are operating in the high reaches of government or the most basic market the sad fact is – where we find privilege we also find the abuse of privilege. In the world of IT, privileged accounts are identities that have elevated permission to access potentially sensitive data, run programs or change configuration settings. To put it simply, privileged accounts are the keys to the kingdom of IT.
FEATURE
May 2013 Network Security13
adequately secure their systems with catastrophic results. The hacking of Sony Corp’s PlayStation Network has earned a place in the annals of Internet crime. That’s partly because of the massive size of the data breach – information about 77 million customer accounts was stolen. When examining the evidence, there are common practices that have lead to these security breaches and failed IT compliance audits. How many of the top five are you guilty of?
No. 1: Avoid succumbing to the ‘attribution’ trapThe ‘attribution’ trap occurs when an organisation’s processes and practices make it impossible to know who had access to sensitive data and the ability to change system settings, on what system, when, and for what purpose. This is the equivalent of handing out copies of the keys to your house while you are on holiday – you are never going to find out who robbed you. So how do you spot an organisation that has already fallen into this trap?
seldom changed.
what, when’ using privileged logins.
spreadsheet files and printouts where they keep the details of highly privileged logins ‘safe’.
in administrator accounts more frequently than you’d expect.
In a recent survey, conducted by Lieberman, a surprising 68% of respondents believe that, as an IT professional, they have more access to sensitive information than colleagues in other departments such as HR, finance and the executive team. The study found that, if they thought their job was at risk, 11% of respondents would abuse their administrative rights to snoop around the network to seek out the redundancy list and other sensitive information. In fact, if laid off tomorrow, 11% would be in a position to take sensitive information with them. Worryingly, nearly a third confirmed
that their management did not know how to stop them.
This is an amazing state of affairs! Many organisations rely on their IT departments to keep them safe but all too often the reality is that powerful privileged account credentials are being abused by those very same IT departments. Senior management must step up to the plate and take charge by establishing systems and procedures to lock down data from prying eyes or their secrets will continue to be stolen from under their noses.
No. 2: Privileged account management is no place to use ‘DIY’
All too often privileged account management practices in organisations lack the efficiency, scale and resilience to secure the network against external and internal threats. Organisations rely heavily on scripts and ad hoc processes to complete routine management tasks, ignore accounts that can’t be easily secured and therefore leave large security holes. The complications are:
projects.
by a small number of expert staff who become ‘high priests’ of privileged account access.
and manual changes knows the credentials.
workarounds and incomplete coverage that management cannot access.
For example, to change a single Windows service account password, you need to discover everywhere that the account is in use, stop all other dependent services in the right order, change every instance of the service credential and then restart all dependent services in the proper order. One large software vendor found it took 240 IT staff hours to change a single privileged service account manually ‘the right way’ inside its datacentre.
No. 3: Keep track of who you employOrganisations often get caught out because they’ve failed to revoke contractor or employee highly privileged access when there is no longer an immediate business need. The reason is, in the majority of cases, it’s impossible to document who accessed data, when, and for what purposes. It’s further compounded as access is sometimes from unknown locations at odd times or, in some cases, there can even be an undocumented ‘back door’.
One of the most common causes behind recent data breaches involves either third parties, contractors or people who have left the organisation. In fact, one financial institution discovered that its privileged logins were published on an Internet hacker board by a fired IT administrator.
No. 4: Office administration for dummies
On the surface it seems idiotic and very unlikely to happen, but in many cases practices actively exist that actually allow IT staff to circumvent security in the name of ‘convenience’. These include ruses such as:
privileged logins.
grant too much access.A very large insurance company
used a common local admin password at the company’s sales office known by a few non-IT staff. This practice allowed thousands of unauthorised, and potentially unlicensed, applications to be installed remotely at offices all over the US. It’s important to remember – if one person can save the ship, she can also sink it.
No. 5: When ‘default’ really means ‘disaster’This is the one that damages the most organisations as they fail to account
FEATURE
14Network Security May 2013
for privileged account security holes introduced by new and changed systems and applications. Organisations usually don’t know, and can’t find out, where all their privileged accounts reside. Also, password changes can cause account lockouts because of unknown interdependencies.
The problem is that it can lead to the blind leading the blind as many vendor staff, responsible for placing new equipment and applications, don’t themselves know if the products comply or conflict with the organisation’s existing infrastructure, security controls and policies.
A national healthcare provider based on the US West Coast failed to change a published default password for a server in its datacentre. This meant it was possible to take control of the server through a ‘lights out’ management card, access data and even power off the machine through this published password.
Four steps to privileged management successIt takes just four, basic steps to regain control of privileged identities. These steps are easy to remember because they’re abbreviated as IDEA.
Identify: Identify all of the privileged identities that are present on critical IT assets in your infrastructure,
whether on server or desktop operating systems, network appliances, line-of-business applications, and so on. Understand which of these identities are interdependent, so that when you change the credentials of one account you know to update the dependent accounts to avoid lockouts and service disruptions.
Delegate: Delegate access to these accounts so that only appropriate personnel can login to critical IT assets, always in a timely manner whenever needed, over a secure communication channel, using the least privilege required (to reduce the potential for damaging errors), with a documented purpose, only during designated times.
Enforce: Enforce rules for password strength, uniqueness (so that a password isn’t reused except where absolutely necessary) and change frequency, synchronising all of those changes across dependent processes.
Accountable: Use auditing and alerting processes that make individuals accountable for privileged access, set the right organisational tone, and alert management to any unusual events.
You have to take responsibility and full control over all aspects of privileged identities – and not just so that you can sleep at night and ensure your organisation is safe: there are now more strict regulatory compliance and
governance issues around access than ever before and now they have teeth. If you want to be a good boss, sleep at night and reduce your IT staff workload take the advice in this article. If you don’t you will find it’s not just the regulators who can harm you – now that they’ve been allowed to grow claws the auditors are looking to sharpen them on someone. Just make sure it isn’t you.
About the authorJane Grafton is director of business develop-ment at Lieberman Software. She has more than 20 years experience in domestic and international sales, marketing and busi-ness development. She came to Lieberman Software from Sun Microsystems, where she spent 12 years in field marketing manage-ment, supporting commercial accounts and federal systems integrators throughout the US. In this role, Grafton created sustained demand for Sun’s products and services. Prior to Sun, Grafton sold and devel-oped new markets for Locus Computing Corporation’s UNIX software services focusing on OEMs including IBM, Dell, Compaq, Cray, Tandem and StorageTek. At Computer Associates in the UK, she established a new corporate function, third-party marketing, by developing rela-tionships with hardware manufacturers, distributors and management consultants. Grafton graduated from the University of San Diego, CA in applied mathematics.
Steve Gold
Black Hat Europe: mobile attack vectors in the spotlight
This makes for a mixture of amusement and jaw-dropping moments of realisation in many sessions, and the enormity of what the presenters are discussing – even though they may not have grasped the commercial consequences themselves
Steve Gold, freelance journalist
Black Hat Europe, held in Amsterdam during March of this year – and in common with its US cousin held in the late summer of each year in Las Vegas – is always a mixed bag. The security conference always features a wide variety of presenters covering a very broad range of topics, though always according to the mandate that any zero-day flaws that presenters discuss have not been detailed in public before.