Advertise on ITWeb         Fri, 19 Jan, 07:04:42 AM

Securing privileged accounts

Philip Lieberman, president and CEO of Lieberman Software

To a hacker, the shared, cryptographically weak privileged logins used by service provider staff look like an incredibly attractive target.

From Operation Aurora, the 2009 cyber attacks on Google and other large enterprises, to the recent breach of VeriSign, hackers have learnt to exploit a frightening and frequently ignored lapse in network security to gain control of victim networks.

Philip Lieberman, president and CEO of Lieberman Software, explains what companies can do to mitigate the risks of falling prey to this trend.

“It's always easy with hindsight, but today it seems clear that the criminals behind recent, high-profile cyber attacks weren't necessarily computer geniuses, just good opportunists. They were able to exploit human nature and then abuse an open door they knew they'd find.”

Lieberman says these hackers use creative tactics such as spear-fishing e-mails. Spear phishing is when hackers send e-mails to groups of people with specific common characteristics or other identifiers. The e-mails appear to come from a trusted source, but are designed to help hackers obtain trade secrets or other classified information.

From a single computer inside a company, attackers can exploit weak, shared privileged accounts to take control of systems throughout the victims' network, map its infrastructure and extract sensitive information, he explains.

According to him, potentially vulnerable privileged accounts are found everywhere in the IT infrastructure – on host computer operating systems, in network appliances and backup systems, and in line-of-business software.

He says passwords are the main barrier between hackers and a business' private data. However, all too often, these credentials are not adequately secured, monitored and audited.

Privileged accounts

Because privileged accounts are not recognised by identity access management (IAM) systems, most organisations have no automated way to manage them. Lieberman says IT security regulations, mandated by government and industry groups, require organisations to frequently update privileged account credentials and audit their use.

However, updating these accounts with scripts or by hand is time-consuming and error-prone, making it impractical. In addition, manual changes can cause service outages if personnel fail to account for interdependencies between different privileged accounts. Therefore, many businesses simply ignore the problem.

He says that, unfortunately, the security risks introduced by weak privileged account security don't stop at the data centre door. More and more of the shared services that an organisation probably uses – including cloud services, certificate authorities and financial service gateways, to name a few – have been exposed as having weak or non-existent privileged account security.

“To a hacker, the shared, cryptographically weak privileged logins used by service provider staff look like an incredibly attractive target – especially since, in these environments, a single compromised login can expose the private data of scores of corporate customers.”

Taking control

He says securing of privileged accounts can happen in three simple steps. Firstly, an organisation must find the keys. It needs to execute a top-to-bottom audit of the entire network to determine exactly where all the privileged accounts reside. This should include cataloguing whether the logins are sufficiently unique and complex, and whether they are changed often enough to be secure.

Following this, he recommends that businesses lock the doors. “If needed – and if it isn't, I'd question your auditors' sanity – you should deploy the basic automation necessary to close any discovered security holes. There are cost-effective solutions available that can not only secure these accounts on very large networks, but do so in hours or days, rather than months.”

Lastly, he says secure the windows. “There's no point securing your network if critical external elements are left vulnerable. Demand that key business partners – including cloud service providers, certificate authorities, and others – demonstrate that they're in compliance with meaningful mandates like the Consensus Audit Guidelines. I'd argue that if they offer self-certifications like SAS70, they don't take the problem seriously and will eventually leave the business exposed.”

He says it has been shown that hackers can breach any corporate network. In the past few months, the intruders seem to be gaining even more of an upper hand, as word has leaked out that perhaps four more certificate authorities have been compromised in attacks similar to that suffered by DigiNotar, in which fraudulent certificates were issued following a breach in September last year.

“Many organisations seem to be reeling from the severity of the situation, and some have responded with panic and confusion as they hurry to latch the doors while leaving the keys in the locks. The data centre relies on privileged identities to function and that's not going to change. However, failure to protect these accounts will leave private data exposed.”

Enjoyed this story? Subscribe to ITWeb's Networking newsletter.

Our comments policy does not allow anonymous postings. Read the policy here




Sponsors Message