As the Center for Internet Security (CIS) is gearing up to release its version 7 of the CIS Controls, the security community is once again reminded that there are a few fundamental security practices we cannot let languish. Always among the top five most important controls that help companies ward off vulnerabilities (and exploit): Controlled use of administrative privileges. For many, this seems like a “no brainer.” Administrative rights—to documents, files, and systems—are the proverbial keys to the kingdom; they provide the administrator account unfettered access to the organization’s most sensitive information.
Of course, if these privileges are abused in any way (either by a disgruntled or accidental insider or by a sneaky external threat actor), data and systems can be tampered with and cause significant business disruption, the avoidance of which should be top on any security team’s list. Why, then, do administrator accounts continue to be problematic? Why is it seemingly so hard to get them under control? All it takes is one easy phish and—bam!—your network has been compromised.
InfoSec Insider spoke with Jonathan Sander, CTO at STEALTHbits, about the persistent problems admin accounts pose to try (once and for all) to convince organizations to put more effort into managing them. Nota bene: while privileged accounts present a potentially serious security issue, managing admin accounts isn’t necessarily a security responsibility. Here we go again, you’re likely thinking, and you’d be right. But the truth is, a system administrator can be the head of your company’s finance department, an HR coordinator, or your marketing database manager. These folks have plenty on their to-do lists, and keeping their privileged accounts sacred is generally not ranked near the top. Unfortunately, though, as Sander points out, “If you’re not controlling privileged accounts, all of your other security controls are ineffective!”
Not layered security
Security teams work hard to implement an abundance of other effective security controls: microsegmented firewalls, data protection, endpoint protection, and on and on. But all of the greatest, layered security wrapped around systems and data is fruitless if there is a person or team that can use authorized credentials to unlock the backdoor and reconfigure all of the settings, warns Sander. The problem, he continues, is that no one is watching the watchers, so to speak. “People with admin access can see everything and change anything they want, because in most cases—at most of the organizations I’ve seen—session monitoring isn’t routine, timeouts are not set on the most privileged accounts, and the system isn’t set up for active rotation.”
Security organizations that approach the problem of privileged accounts as they do other security issues are missing the boat, he says. The process of issuing and managing privileged accounts is very complex, and it can’t be solved with another layer of protection, like applying encryption or implementing DLP. With identity and access management, there is no one layer of protection; it’s a cross-discipline problem that requires agreement and participation from everyone involved—security inclined or otherwise. Sander recommends companies (if they haven’t already) implement a privilege control program that leverages an enterprise-grade password vault. Doing so allows the security team to oversee account creation and management, while giving the IT or operations team visibility (through the SIEM or data correlation) into how accounts are being managed.
“In this way,” Sanders says, “there is a system of checks and balances: Security is watching the admins, and IT or ops is watching security.” This type of system also helps organizations wrangle the plethora of new administrative controls being created every day. Especially in larger companies that might be rolling out new applications, sending data or apps to the cloud, or deploying a new technology daily (or even multiple times per day, in some cases), it’s near-impossible to account for all the admin accounts. The pace of business today is such that new tools and technologies are implemented ASAP, and without much thought to who-has-access-to-what-and-how-are-we-going-to-keep-that-access-private-and-secure.
There is no good way for companies, let alone security teams, to keep track of what software and applications are being deployed. Orchestration has moved the needle slightly, says Sander, but what the market needs is truly agile capabilities. While the security market moves towards behavioral-based authentication and biometrics, passwords aren’t going away any time soon. Passwords are the problem people love to hate and hate to love.
Though security’s dream is password elimination, for the meantime companies need to identify and implement processes and controls that allow them to tamp down on undisciplined privilege use, misuse, and abuse. Sander’s advice is to approach passwords from an enterprise mindset. The privileged identity market is mature; a properly maintained vault can supply automated password rotation, application integration, session control, and monitoring, and force multifactor authentication. Reputable vendors offer these features to all enterprise accounts, yet many vault administrators don’t turn on these features (oh, the irony).
Sander says the problem is one of prioritization. In the words of Willy Wonka: We have so much time and so little to do…wait, strike that and reverse it. Yes, security has so very many priorities, and taking on the executive team to budget for, purchase, implement, and enforce a new authorization and authentication system is no easy task. Security teams will always feel pushback when it comes to requiring users to change ingrained processes and behaviors. That said, if it were a new way to market or sell products that was proven effective, the management team would have no problem instituting change.
Make the case for prioritization
Security leaders need to “make the case for prioritization,” says Sander, even though identity and access management isn’t the sexiest topic. When breaches and ransomware regularly steal the headlines, it’s easy to fall into the trap of leveraging those events to procure more support for products and processes which are under security’s complete control and do not require enterprise-wide change. However, at the root of many of the headlines is privileged accounts. And someone has to be watching how they’re being used and abused.
Privilege account problems affect everything. It’s that simple. Sander recommends that security leaders ask themselves these three questions:
- Does the organization have a vault, and are we using it well? In other words, is my team utilizing all the security features listed in the manual?
- Is my team watching the watchers? IOW: Do I have people or tools that can monitor the behavior of the vault and the people using it?
- Are we doing (at least) rudimentary privileged account discovery, monitoring, and tracking?
If the answer to any of the above is “no,” it’s time to look into overhauling your privilege account management program.