Recent reports have highlighted how cyber-criminal groups are now targeting IT and incident response teams to get access to corporate networks and data. The aim of every malicious outsider is to become a privileged insider, so it’s no surprise that these kinds of individuals are in their sights. But could it be that the way that we manage system administrator and other elevated privileges is actually leaving organisations open to attack? A number of weaknesses spring to mind.
Let’s look at how reliant IT departments have become on directory services. These have traditionally been the way to control access and manage users of network infrastructure. These systems make it easy to grant access and permissions to systems but make it very hard to see what permissions a user has and how they’re using them. The nature of administrators and IT pros is that their requirements for remote access to infrastructure changes depending on the task or project they’re working on.
It’s extremely difficult to use directory services to manage these changes. As a recent survey of IT professionals revealed, half of respondents would find it difficult to identify whether an ex-employee or ex-contractor still had access. This should be a startling finding for those organisations who might be considering cyber insurance of some sort because I can’t think of a single policy that will pay out in the event of a data breach without a user access audit trail.
Which brings me to another common misconception: the risk comes from the account not the users. IT infrastructure is more organic than we think. Many networks have grown over time and legacy IT systems focused on “business as usual” perhaps don’t get the security that they should.
Very often shared accounts are still being used for administrative access to these kinds of servers and devices. These shared accounts are problematic for a number of reasons. In the event of a user leaving or their access being revoked, changes to the credentials have to be communicated to every else who uses them. If the credentials are rarely used, this increases the chances of passwords being stored insecurely or written down. This was exactly the case with Sony Pictures, where unprotected text files full of user names and passwords were saved on the network. Shared accounts also mean in the event of the worst happening and an organisation suffering a data breach, it would be almost impossible to track if an individual insider was responsible as a shared account would keep them anonymous.