Insider Threat: Limit Privileged AccessNew Tips for Mitigating Emerging Risks
The insider threat is a bigger concern than ever in the wake of system administrator Edward Snowden leaking details of the National Security Agency's secret surveillance programs. For years, organizations have focused on defining data access for end-users based on their roles. But the NSA incident highlights the challenges of preventing system administrators or "super users" from using wide-ranging access to data to wreak havoc.
"Organizations are thinking, 'if this can happen to the NSA, it can happen to me,'" says Eric Chiu, president and co-founder of HyTrust, a virtualization security and compliance company.
To address the insider threat, organizations must improve the management of privileged access accounts to limit the amount of data system administrators can access and restrict some of their activities on the network.
But privileged access accounts are more than just system administrator passwords. They can be default passwords that ship with hardware and software systems; generic accounts, such as "root" on Linux servers; or even passwords that are used by applications to log in to back-end systems, such as databases.
A hacker or rogue employee can use these accounts to change firewall configurations, modify network settings and edit server logs to hide their activities. These accounts give anyone "god-like access" over the network, Chiu says.
Controlling who has access to these accounts and tracking and monitoring exactly how they are being used is a critical part of preventing data leaks and network breaches. Organizations need to perform a comprehensive audit of their infrastructure to identify privileged accounts that are high-risk and need to be managed. They then must apply different levels of controls, based on the risk. And a group outside of IT needs to monitor and audit all of these privileged accounts to ensure the controls are correctly enforced.
Bringing Accounts Under Control
Despite mounting evidence to the contrary, many organizations still make the mistake of thinking their biggest threats are from outsiders. In too many cases, organizations give employees more access to systems and data than they really need; fail to monitor or disable accounts for third-party contractors when their work is done; routinely share account passwords across multiple users; and fail to oversee administrators to ensure they aren't abusing their powers.
Independent Health, a Buffalo, NY-based company that offers managed healthcare plans, had a familiar problem. The company had several different groups, including developers, database and system administrators, operations teams and support staff that needed privileged access to sensitive systems, says Jeremy Walczak, director of the company's information risk office.
To address the issue, Independent Health deployed privileged identity management system from Cyber-Ark Software to put some controls around these accounts and monitor how they are used.
Any project to bring privileged accounts under control begins with a comprehensive audit of all the systems on the network and associated accounts. Organizations need to know what privileged accounts they have to properly manage them, says John Worrall, chief marketing officer of Cyber-Ark Software, which offers privileged identity management software. In conducting an audit, organizations must keep in mind that many printers, conference call and voice-over-IP systems, and other hardware frequently ship with a maintenance account enabled by default.
"Without fail, during the discovery phase, you are going to find privileged accounts you didn't know you had," Worrall says.
The next step is to figure out the risks posed by each account. Organizations need to identify what accounts are privileged and sensitive and which passwords could cause data to be lost or result in downtime if compromised.
Accounts where multiple people share the password are high-risk because there is no way to track who was logged in with that account and why. Walczak suggests organizations determine which accounts can be exploited or used to log in to other systems, and then focus on restricting access to those accounts.
Some accounts can be just disabled, and some may be so limited that leaving them unmanaged is low-risk for the organization. The high-risk accounts should be added to the management platform so that they can be monitored, audited and controlled, effectively. These platforms provide accountability. For example, when someone attempts to use the server's local account, the logs show which user made the attempt.
This would have been useful for Saudi oil company Aramco, where malware wiped the hard drives of more than 30,000 systems last year, says Philip Lieberman, president and CEO of Lieberman Software, which offers identity management products. The infection was eventually traced back to someone using an account created for an outsourcing partner, but there was no way to track which employee at that contracted company was responsible, he points out.
Imposing Access Controls
Once the accounts have been added to the secure vault offered by these privileged identity management platforms, they can be controlled. Role-based management is perhaps the most common, giving each user baseline access and then layering additional privileges based on their job functions and responsibilities. Additional authentication mechanisms, such as biometrics or smartcards, can help verify the person really needs to use the privileged account.
Organizations may decide to restrict what commands the accounts can execute, such as allowing password resets, but not enabling shutting down the server or erasing data, Walczak says.
Under the concept of "least privilege," administrators are given only baseline access. When the administrator has to perform a task that requires more privileges, those specific functions are temporarily added to the administrator's user profile and automatically removed when the task is complete.
The auditor can associate each instance of privileged access with the help-desk ticket to verify it was granted appropriately, Walczak says.
Account credentials for back-end systems and services are frequently embedded in the code or hard-coded inside a configuration file. This makes password resets a challenge because if these instances aren't updated correctly, production processes will fail. Independent Health set up the applications to make an API call to the password vault instead. As a result, the developer, the ops team and even the support team never need to know what the current password for that system is, Walczak explains.
In the wake of the Edward Snowden leak, the NSA is implementing a two-person rule where accessing certain systems or performing sensitive tasks will require a second administrator's approval, General Keith Alexander, the NSA chief, recently said at an event at Fordham University (see: Who's to Blame at NSA for Snowden Leak?).
Auditing and Monitoring
Privileged identity management platforms can do more than detect that a user has accessed an account; they can also record account activity. Certain types of activity can trigger alerts so that the organization is aware of potential abuses. Behaviors can also be compared against a profile to ensure that a user is acting in accordance to their job function, says HyTrust's Chiu.
"If I had a sys admin copying a file from the server to their personal computer, I would be nervous," says Mike Tierney, vice president of operations at SpectorSoft, which provides monitoring software for computers and mobile devices.
Someone outside the IT organization should have the authority to monitor the logs generated by a privileged identity management system, Walczak suggests. That way, there is no risk of administrators hiding their activities, and the auditors can focus on monitoring. Independent Health, for example, has an information and risk division that handles the review process and monitoring.
Before it implemented its privileged identity management system, Independent Health had many of these processes for restricting access as part of its workflow, Walczak says. But the manual approach was time-consuming and prone to errors. Moving to a system where the entire process of assigning privileges and monitoring access is automated helped the organization improve its security operations, Walczak says.
Many organizations are waiting for something bad to happen before taking steps to improve management of their privileged accounts. But that leaves them vulnerable to insider threats and potentially gives outsiders a way to gain a foothold in the network, Chui contends. "The stakes are too high. It is a job-losing proposition."