Privileged Users Exploited by Hackers
It’s often the obvious that can trip you up if you’re focused on the wrong things - similarly, it’s sometimes the security basics that are overlooked by security professionals new to the field, as an article commentary in DarkReading.com noted. Stating that 2014 was “the year of privilege vulnerabilities,” the author, Marc Maiffret identified the pattern of criminals taking advantage of privileged accounts and passwords to access and steal company data.
Maiffret cites an example within Microsoft Windows environments in which each employee’s Active Directory accounts are added to the local computer’s Administrators group, a practice that happens in both small and large companies. Naturally, the purpose of having different groups within AD is to limit privileges and make it easier for administrators to manage users. But that control is, obviously, rendered useless if the groups management function is set to automate.
This raises the point that several prolific breaches of 2014 could have been prevented if companies had practiced the model of least-privilege, which is the principle of limiting user access to the lowest level of rights that they can have and still do their jobs. As SANS stated, “it [least privilege] restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual.”
It may also help in limiting the insider threat by reducing the amount and scope of information that an individual may have access to, depending on their job function. Morgan Stanley, a major wealth management firm, reported the firing of one of their employees yesterday after they found that 350k (10 percent of total wealth management accounts) customer financial accounts were illegally accessed and stolen with the intent to sell, proving that the insider threat can result in serious consequences.
The DarkReading.com article cites security bulletins issued by Microsoft, some of which involved weaknesses associated with enabling remote code execution (RCE). Of the 39 RCE vulnerabilities announced last year, 87 percent could have been mitigated in a least privilege environment.
Another security basic that may seem like a “small” detail is the use of two-factor authentication - this oversight allowed attackers access to 83 million records and over 90 servers on the major financial institution, JPMorgan Chase’s network last summer. The NYTimes.com acknowledges that “the largest intrusion of an American bank to date might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network.”
So why are the security basics being overlooked? The Ponemon Institute’s survey, Corporate Data: A Protected Asset or a Ticking Time Bomb?, published late last year, reveals the problem may lie within the priorities within an organization. Only half of IT practitioners believe that their CEO and other C-level executives make data protection a priority, while less than half find there is strict enforcement of security policies on using and accessing company data.
Part of the problem may be the inability to manage security controls that are already in place - without the ability to separate administrative roles, there could be further security issues internally, even if unintentional. For example, Duo Security’s administrative controls feature (role-based access) allows a primary administrator to delegate different roles to other administrators with fewer privileges and capabilities, as relevant to their job role or task type.
Separating roles and applying models of least privilege to users and administrators alike is a key requirement of certain data regulation standards, including those that dictate financial data security and general information security, such as the FFIEC, GLBA, ISO 27000 and SANS.
Another interesting point made by a different DarkReading.com article was the fact that too many companies focus on perimeter security without enough insight into what’s going on inside their own networks. The author, Jai Vijayan, argues that in many data breach cases such as Target and Home Depot, attackers were able to use stolen login credentials and spear-phishing campaigns to bypass any security controls set up around the companies’ perimeter and steal customer data. Forgetting about the basics, like two-factor authentication, can prolong a breach and let attackers go undetected.
Getting the very basics down may go a long way in stopping an attacker at the front door, stopping them along the way, or stopping them from getting to privileged information.