In 2015, we've seen yet another incident of privileged account misuse in the OPM breach that is currently being investigated. Is this Groundhog Day? Why do we keep seeing this problem surface over and over again in major breaches and hacking scenarios? This is really not a new problem at all, but we’ve got to get to the root of what’s going on here. Based on my experience, there are some major systemic issues that lead to privileged account misuse and subsequent attacks or data breaches as a result.
First, IT administrators, developers, and other common privileged users have a need to get work done that may in fact require privileges in many cases. This has been the case for a long time, and we have the classic case of simply over-provisioning those privileges to these types of users, knowing that they’ll need to use them at some point in their day-to-day jobs.
Second, IT admins and developers have often had a bit of a “deity mentality”. In other words, they run this shop, don’t get in their way. Suggesting that these folks need anything LESS than the most elevated privileges would be an insult!
Third, the tracking and monitoring of privileged users and accounts has rarely been a strong suit for security and risk teams in many organizations. One of these issues is simply a result of generic admin and root accounts being used so frequently - all the logs and events are attributed to “root” or “Administrator”, and this is tough to track. Alongside this issue, many admin activities just haven’t been a focal area for security teams until the last few years, so we’re catching up.
Finally, we’ve created service accounts, vendor accounts, partner accounts, and temp accounts for every other possible reason under the sun and left them hanging out all over the place within our environments, and this is starting to come back and bite us in many ways. Not only are we handing out privileged accounts with reckless abandon, we can’t even possibly hope to keep track of them in many environments large and small.
If you look back at some of the biggest hacks and breaches of the past few years, many have involved privileged account hijacking and misuse. It’s time to get a handle on this problem and take it more seriously. Will privileged user management tools come in a shiny box that blinks in a rack? Maybe, maybe not. Will you be able to boldly attend InfoSec cocktail parties and loudly proclaim that you’ve “solved that APT thing”? Let’s not even go there. This is all about getting control of our environments, minimizing the likelihood of accidental errors and exposure factors linked to privileged accounts, as much as it’s about preventing the bad guys from hijacking and leveraging those same accounts.
There’s plenty of problems we don’t have great options for in InfoSec today. Malware is a pain point that keeps evolving rapidly. 0-day exploits are tough to prepare for. Privileged account management? We got this. We know the root causes, we know how it manifests, we know how to get it under control effectively, and there are great technology solutions that are enterprise-class. Let’s cross one issue off the list, shall we?
Join me in the upcoming webinar with BeyondTrust where we’ll take a look at some breach and hacking examples of privileged account misuse, some of the realities we face in many environments today, and how we can get this problem under control in 2015.
Author/Presenter: Dave Shackleford, SANS Instructor
Want to learn more? Watch the webinar now.
