There's a deadly security loophole at the heart of IT infrastructure: what are you doing about it?
The common thread running through the major breaches of 2015 is that all of them had their privileged access rights compromised. And yet how many IT departments have taken steps to mitigate against these threats?
In a world where any external attempts to access company networks are (rightly) vetted through multiple authentication procedures, it remains surprising and frankly alarming how much trust is conferred on people who are on the inside.
This is the so-called privileged access to systems, traditionally a right of those who need to maintain and support IT infrastructure.
This weakness has not been lost on the hackers. Consider last year’s biggest hacks: the likes of TalkTalk or Ashley Madison in which millions of customer details were exposed, or indeed the likes of Jeep or VTech. The common thread running through these breaches is that all of them had their privileged rights compromised.
55% of all cyber attacks last year were carried out by people who had privileged access to an organisation’s IT system (IBM’s 2015 Cyber Security Index). Privileged accounts are made available to administrators, super users and now routinely to external service providers and yet it’s the control and monitoring of how these credentials are used that causes the problem.
Irrespective of the size of the organisation, poor management of privileged accounts represents the greatest risk to its cyber security.
Challenges in tackling the management of privileged accounts fall into two main categories. The first involves control. Being able to successfully manage users accessing the right resources at the right time dramatically reduces the risk of a breach.
However the vast majority of firms are for legacy reasons reliant on directory services to control access and manage users of network infrastructure. The problem with that is it’s easy enough to grant access but hard to actively control or even revoke it.
IT pros often need remote access to infrastructures. It’s the nature of the job. We operate in a business environment in which flexible, location independent working is increasingly viewed as a productivity enabler. Furthermore, external third parties and contractors now routinely make up the IT administrative task force.
Using directory services to control IT admin access requirements is extremely difficult. To give you an idea: my company conducted a survey of IT professionals in which it revealed that half the respondents would find it difficult to identify whether an ex-employee or ex-contractor still had access.
In other words, they could be leaving the door wide open to the abuse of privileged rights.
The next distinct, although related challenge of managing privileged users is is to do with visibility. You may know you have a set of privileged users who log into to critical infrastructure of systems with sensitive data but how can you know when, for how long and what they’re doing during those sessions?
A common misconception is that the risk comes from privileged account not the users. In most cases IT infrastructure has developed organically. Networks have grown over time.
Legacy systems that support the business do not receive the security scrutiny they perhaps should. Very often shared accounts are still being used for administrative access to these kinds of servers and devices and they are problematic for a number of reasons.
In the event of a user leaving or their access being revoked, changes to the credentials have to be communicated to everyone else who uses them. If the credentials are rarely used, this increases the chances of passwords being stored insecurely or written down.
This was the case with Sony Pictures, where unprotected text files full of user names and passwords were saved on the network. Shared accounts also mean that in the event of a breach, your visibility of the network and ability to attribute blame are both poor.
All that is known is that the account was used; it would be almost impossible to track down an individual user and the shared nature of the account actually preserves anonymity.
By contrast, an audit trail can be used to positively demonstrate that a particular authorised change occurred, thus protecting the credibility of the majority of our hard-working, scrupulous IT personnel.
> See also: Twelve tips to combat insider threats
So, what can be done to get a better handle on this vital group of users? IT admins are the beating heart of an organisation’s IT infrastructure so leadership teams are understandably daunted by the thought of disrupting ‘business as usual’.
Here are five conditions that must be met for the efficient management of privileged users:
Shared accounts have got to go. Organisations should have the ability to generate, hide, disclose, change or sustain passwords targets and secure them in a certified safe.
Being able to define, award and easily revoke access to each system for each privileged user is a must.
The ability to view and control the connections and user activity on systems, and generate alerts on events. This is not only a big help when it comes to compliance but also in the event of a breach.
Seeing is believing
The ability to watch video recordings of user sessions privileges.
The ability to create reliable and enforceable audit trail of all activities of users privileges on the target systems.
Sourced from Bruce Jubb, Head of UK & Nordics, Wallix