It has long been maintained that you have to be crazy to work in the IT business, and now itís official. A recent study by the U.S. Secret Service, who must be considered eminently qualified to recognize the symptoms, and Carnegie Mellon Universityís Software Engineering Institute CERT Program http://www.cert.org, analysed insider cyber crimes across critical infrastructure sectors. The study showed that insider sabotage was in virtually 100% of cases carried out by people who are disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly.
Nothing new there you might say but when the study also shows that eighty-six percent of them held technical positions and ninety percent had system administrator or privileged system access, then you have to start asking questions. After all weíre talking about a social group who relate best with machines!
Not a problem you say. Fortunately you managed to offload our psychotic geek to somebody else, so he or she ñ and trust me the ìsheísî are just as bad as the ìheísî - is not your problem anymore. Well hereís the good news ñ only forty one percent of those who sabotaged IT systems were employed at the time they did it. And the bad news ñ Yes you guessed it ñ the majority of the insiders attacked following termination. In fact a whopping Fifty-nine percent of the insiders were former employees, fifty seven percent did not have authorized system access at the time of the attack, and sixty four percent used remote access. Those VPNs are such wonderful things! Many used privileged system access to set up the attack before they were terminated, primarily taking advantage of a lack of security controls and gaps in their organizationís access controls.
The bottom line is that most organisations are leaving themselves totally exposed by not paying due care and attention to the people who are charged with looking after their systems and applications. To compound the problem many organisations are rushing to outsource the responsibility in order to achieve cost savings, not realizing that the nutter may now be working at the outsourcer, or somebody elseís nutter is now going to look after your assets. Every system, application, database, networking device, in fact everything in your infrastructure has a privileged account that grants the individual who has access unlimited power.
So what is a privileged account? A privileged account is generally an account that has been created in order to manage a system or application, and because it is a generic account it has three important characteristics:
1. It is all powerful
2. It is anonymous
3. In virtually 100% of cases it can only work in combination with a password.
It is intended to make it possible to undertake management, or carry out business critical tasks related to electronic information.
The Privileged User falls into three categories.
Administrative and Pre-defined accounts ñ These are accounts that are created by the system or application. Examples abound such as the Windows Administrator, the UNIX root, the Cisco enable, and one can go on and list virtually every system and application on the market which has a Pre-defined account.
Shared Accounts ñ These are accounts that are generally created by an organisation with the express purpose of allowing a group of users to carry out Privileged tasks. For example organisations will frequently create a shared account to provide access to a pre-defined account.
Embedded Accounts ñ These are accounts that are commonly embedded in applications, such as batch jobs, database applications, scripts, service accounts, and the like. Increasingly IT Security officers are realizing that this represents one of the greatest risks both to their organisation, and to the individualís role.
Privileged accounts are the easy target for anyone wishing to cause disruption because generally one can hide their identity behind the anonymous account. Additionally because there is no way to secure these accounts other than with a password (weíre not talking about individual user identities that can be secured with various token based systems), and even if someone goes down the insanity route of assigning these privileges to specific users, the privileged account is always there. Being password based it means that there has to be a process in place that changes the password on a regular basis but then if this is manual it might be a cases of the lunatics guarding the asylum.
Itís Time To Lockup Those Passwords and Throw Away the Keys
In order to ensure that an organisation protects its interests, it must ensure that clear policies and standards are in place to manage and control who has administrative access. Ultimately the most effective approach is to ensure that the number of Privileged User accounts on systems is kept to an absolute minimum. In other words do not start assigning users privileged access. Practice has shown that once the number of individuals with privileged access exceeds three, it becomes exponentially difficult to mange the process
The more Privileged User accounts that are defined the closer the auditors are going to look at the policies, and especially the adherence to the policies ñ which might not be a bad thing. Other areas to consider are ensuring that users are only given access if all the conditions are correct, such as are they on duty, are in they in an appropriate location (releasing privileged passwords to the user in the Internet Caf with VPN access is not appropriate policy no matter how urgent the situation).
Changing passwords regularly is a necessity, and not repeating passwords within certain time periods is a must. Also it becomes critical to maintain old passwords (version control) in a secure location since you never know when a particular system needs to be recovered.
It is important to understand that an organisation should allocate privileges on a restricted basis, such as on an event basis, or a need to use basis, and that a detailed record is kept regarding what privileges have been given to whom, when, for what purpose, where were they when this was given, and who approved this request ñ for every single event. And of major importance ensuring that all authorisation processes are completed, in the correct sequence before Privileged User access is allowed.
There are countless situations regarding the use of Privileged User accounts, and there are many technical solutions created to try and protect the privileged systems and applications to ensure that they are not vulnerable, but ultimately it is impossible to ensure that an infrastructure can be built that is 100% secure. It is therefore imperative that the strictest controls possible are applied to providing access to the Privileged User passwords that are the keys that are needed to open each and every privileged account.
So as far as doing the right thing, Iíd suggest that you start from the basis that your IT staff are the biggest risk to your organizationís security, and if anyone of them disputes this, remember that arguing with colleagues was one of the clear signs of an impending attack! And automate the whole process. If Privileged Password Management is not on your shopping list in 2007 it may already be too late!
Cyber-Ark is exhibiting at Infosecurity Europe 2007, Europeís number one dedicated Information security event. Now in its 12th year, the show continues to provide an unrivalled education programme, new products and services, over 300 exhibitors and 11,600 visitors from every segment of the industry. Held on the 24th ñ 26th April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.
Has IT driven you Crazy?
New Research Shows IT Guys Could Be Your Achillesí Heel
