By now, everyone is aware of the latest widespread flaws on servers with modern hardware and computing chips – Meltdown, and Spectre. The shortest description of the problem is that security that was believed to be in place to separate data used by one application from being accessed by another may be compromised. All of this is taking place at the hardware level, but the flaws are at the software level.
Essentially, we have a physical security issue in the virtual world. No matter how things develop with these flaws, now, more than ever, strong access controls will be required in your environment. Ultimately, these flaws will require access to individual servers to access their memory – you need to make sure that you tighten your controls to ensure only trusted individuals with a good reason access your systems. This is the point in time where access to any system or server in your environment becomes a privilege.
Chip manufacturers have confirmed that one or both of these vulnerabilities impacts nearly every computer system in use today. The scope of the problem is global, and the impact on cloud servers is expected to decrease performance by a significant amount on some servers. Official patches for these vulnerabilities are becoming available, however, there is no ETA on complete resolution of the problem. There are no known exploits at this time, but with the knowledge of this vulnerability in the wild, it is imperative that compensating controls be put in place to prevent future exploits. For BeyondTrust customers, deploying one or more of our products, puts strong controls in place to prevent any future exploits to your servers. You have worked to build a layered defense, and you added strong access controls during your deployment of our products. You know who is on your systems, and exactly what they are doing.
A Physical Security Problem in the Virtual World
Prior to the announcement of these flaws, it was believed that all memory access on servers at the hardware level was isolated, and compartmentalized. Personal, and secure applications could sit side-by-side, but data was secure from snooping. In a modern computing environment, access to all memory is very similar to having the master key to a secure building instead of just a single office – thus, it is best that physical security protocols be employed to curb any possible exploit. This should be treated as if the master key to your corporate offices was in the hands of someone who may do you harm.
The BeyondTrust Advantage
Looking at this problem from a physical security point of view, the following solutions help to prevent exploits to your systems:
- Retina Discovery and Vulnerability Scanner – Retina identifies all assets in your network, maintains visibility into the health of your environment, defines the borders of your environment, and knows what you need to protect.
- BeyondSaaS – Originally purchased to meet regulatory requirements, BeyondSaas is a tool that gives you an outsider’s view of your environment. Identify all of the open ports, servers, applications, and services that are available from an external source.
- PowerBroker Password Safe – Secured all of the credentials that can access your systems with an ongoing process to protect them. Controlled by a single portal that provides access to your most secure servers with complete monitoring and control of user activities.
- PowerBroker Identity Services – Integrate your servers to authenticate to a single source - Active Directory. Users must have the appropriate group memberships, and access levels to access any server in your environment, and you have an audit trail to prove it. Individuals in your organization use a single credential to access all of your systems, and you can carefully control their access.
- PowerBroker for Windows – Agents on all laptops and servers control all administrative activity on your systems. You have the ability to restrict specific processes from running, or to authorize processes to run based on group policy.
- PowerBroker for Unix & Linux – Agents on all of your Unix and Linux servers use the powerful policy language to control your environment. Policies permit privileged activities, or access to credentials on specific servers for specific individuals, or groups for specific reasons. Plus, you have a complete record of all activity that takes place during a privileged session, and you review these sessions regularly as part of your compliance program.
- PowerBroker for Networks – Network devices are as vulnerable as servers, so it is important that you apply the same level of control to your routers and switches as you would to your servers. Know who is accessing them, what they are doing, and why they are doing it.
Looking at these flaws from a physical security point of view, it is important to consider what steps you would take if someone breached your data center:
- Closer monitoring of all entrances, and exits
- Additional checkpoints
- Guards at the gates
- Identity cards
- Change the locks
- Focus on limiting access to specific areas
These items are likely all part of your physical security program. There is no reason that those same principles should not be applied to your virtual environment. With the underlying hardware security now in question, it is important that you apply your other tools to protect that layer from compromise. The controls provided by BeyondTrust products give you the opportunity to provide these same restrictions to your virtual environment. Your program should be mature enough to deliver much greater control over the “Who”, “What”, “When”, and “Where” in your environment, and in most cases, you can identify the “Why”. Let’s review the advantages that you have with BeyondTrust:
- You have identified all of the assets on your network, and what they do
- You have consolidated all of the credentials on your network, and have secured them
- You have control over all user activities within your environment regardless of the operating system
- You have a portal where you can audit all of these activities, and a dashboard to get a single view of your environment
- You have a tool that analyzes behavior and brings unusual activity to your attention
- You have the ability to monitor activity and review sessions in real-time using the agents that you have already deployed
- Using the PowerBroker agents, you can also prevent and/or alert when system libraries, or other direct memory functions are accessed via many different methods including syslog, paging, email, or whatever is configured in your environment.
The key to preventing any future exploits on your systems as a result of these two vulnerabilities is to up your game in privileged access management. You can do this if you implement a secure system where users access only those servers or applications that they need to access in order to perform their jobs, that access is carefully controlled, and access points are carefully monitored. You can restrict lateral access between servers, and you have the ability to isolate users to specific tasks, or functions once they are on your systems. You already have checkpoints, monitoring, access controls, and have mirrored the physical security controls that it would be prudent to implement following a physical breach in your virtual world. Over the coming months exploits will be developed that take advantage of these vulnerabilities. For BeyondTrust customers, you already have the tools you need to protect your environment. If you are not yet a BeyondTrust customer, and you would like this level of confidence in dealing with these vulnerabilities, and other future threats, please contact us and we’ll be happy to help you.
Chad Erbe, Professional Services Architect, BeyondTrust
Chad Erbe is a Certified Information Systems Security professional (CISSP), with nearly 30 years’ experience in a Unix/Linux administration role. Chad has worked in DoD high-security environments, manufacturing, and with large financial services companies throughout his career. This broad experience has lead him to an architectural role with BeyondTrust where he focuses on Privileged Access Management, particularly in the Unix suite of products. Chad also maintains his PCI ASV certification from the PCI council.