The weakest link?

Worried about information security? The weakest link could be in your IT department, according to the latest research.

By Calum Macleod

It has long been maintained that you have to be crazy to work in the IT business – and now it’s official. A recent study by the US secret services (who ought to be eminently qualified to recognise the symptoms) and Carnegie Mellon University’s Computer Emergency Response Team (CERT) program, part of its Software Engineering Institute, analysed insider cyber crimes across a number of critical infrastructure sectors. The study indicated that insider sabotage is, in almost all cases, carried out by people who are disgruntled, paranoid, generally show up late, argue with colleagues and, basically, perform poorly at their jobs.

Nothing new there, you might say. But when the study also showed that 86 per cent of them held technical positions and 90 per cent had system administrator or privileged system-access, then you have to start asking questions. After all, we’re talking about a social group who relate better with machines than they do with fellow human beings.

Not a problem? Fortunately you managed to offload your psychotic geek to somebody else, so he or she – and trust me the ‘she’s’ are just as bad as the ‘he’s’ – is not your problem anymore? Well here’s the good news: only 41 per cent of those who sabotaged IT systems were employed at the time they did it. And the bad news?

Yes, you guessed it the majority of the insiders attacked following termination. In fact, a whopping 59 per cent of the insiders were former employees, 57 per cent did not have authorised system-access at the time of the attack and 64 per cent used remote access. Those virtual private networks (VPNs) are such wonderful things! Many used privileged system-access to set up the attack before they were terminated, primarily taking advantage of a lack of security controls and gaps in their organisation’s own access controls.

Indecent exposure

The bottom line is that most organisations are leaving themselves totally exposed by not paying due care and attention to the very people who are charged with looking after their systems and applications. To compound the problem many organisations have outsourced much – in some cases all – of their IT in order to achieve cost savings, not realising that the nutter may now be working at the outsourcer, or somebody else’s nutter is now going to look after your assets.

Every system, application, database, networking device – in fact everything in your organisation’s infrastructure – has a privileged-user account that grants the individual who has access unlimited power. So what is a privileged-user account? A privileged-user account is generally an account that has been created in order to manage a system or application and, because it is a generic account, it has three important characteristics:

It is all powerful;
It is anonymous;
In virtually 100 per cent of cases it can only work in combination with a password.

It is intended to make it possible to undertake management or carry out business critical tasks related to electronic information. The privileged user falls into one of three categories:

Administrative and pre-defined accounts

These are accounts that are created by the system or application. Examples abound, such as the windows administrator, the Unix root, the Cisco enable and one can go on and list virtually every system and application on the market which has a pre-defined administrator account;

Shared accounts

These are accounts that are generally created by an organisation with the express purpose of enabling a group of users to carry out privileged tasks;

Embedded accounts

These are accounts that are commonly embedded in applications, such as batch jobs, database applications, scripts, service accounts and the like. Increasingly, IT security officers are realising that this represents one of the greatest risks both to their organisation and to the individual’s role.

Privileged-user accounts are the easy target for anyone wishing to cause disruption because, generally, one can hide their identity behind the anonymous account – they don’t point to any one particular user so it can be hard to work out how the security lapse occurred or who might have been responsible.

Additionally, because there is no way to secure these accounts other than with a password (we’re not talking about individual user-identities that can be secured with various token-based systems) – and even if someone goes down the insane route of assigning these privileges to specific users – the privileged-user account is always there. Being password-based means that there has to be a process in place that changes the password on a regular basis, but if this is a manual process it might be a case of placing the lunatics in charge of the asylum.

Call to action

In order to ensure that an organisation protects its interests, it must ensure that clear policies and standards are in place to manage and control who has administrative access. Ultimately the most effective approach is to ensure that the number of privileged-user accounts on systems is kept to an absolute minimum. In other words do not start assigning users privileged access. Practice has shown that once the number of individuals with privileged access exceeds three, it becomes exponentially difficult to mange the process.

The more privileged-user accounts that are defined the closer the auditors need to look at the policies – and especially the adherence to the

policies – which might not be a bad thing. Other areas to consider are ensuring that users are only given access if all the conditions are correct. Are they on duty? Are in they in an appropriate location? Releasing privileged-user passwords to the user in the internet café with VPN access is not appropriate policy no matter how urgent the situation.

Changing passwords regularly is a necessity, and not repeating passwords within certain time periods is a must. Also, it becomes critical to maintain old passwords (version control) in a secure location since you never know when a particular system will need to be recovered.

It is important to understand that an organisation should allocate privileges on a restricted basis, such as on an event basis; or a need to use basis, and that a detailed record is kept regarding what privileges have been given to whom, when, for what purpose, where they were when this was given, and who approved the request – for every single event. And of major importance, ensure that all authorisation processes are completed, in the correct sequence, before privileged-user access is allowed.

There are countless situations regarding the use of privileged-user accounts and there are many technical solutions created to try and protect the privileged systems and applications to ensure that they are not vulnerable, but ultimately it is impossible to ensure that an infrastructure can be built that is 100 per cent secure. It is therefore imperative that the strictest controls possible are applied to providing access to the privileged-user passwords that are the keys that are needed to open each and every privileged-user account.

So as far as doing the right thing, I’d suggest starting from the basis that IT staff are the biggest risk to any organisation’s security and, if any one of them disputes this, remember that arguing with colleagues was one of the clear signs of danger! Automate the whole process, too. If privileged-user password management is not on your shopping list in 2007 it may already be too late.

Calum Macleod is European director of IT security tools specialist Cyber-Ark, which will be exhibiting at Infosecurity Europe 2007 in London on 24 – 26 April. For more information, please see www.infosec.co.uk. Calum Macleod can be contacted directly by e-mail, calum.macleod@cyber-ark.com.

For a copy of the CERT study, Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage, please go to www.cert.org/archive/pdf/merit.pdf.