Risk
11/7/2012
00:36 AM
Connect Directly
RSS
E-Mail
50%
50%

Build Roadblock For Attacks Through Rule Of Least Privilege

Attack against Coke shows once again why organizations need to better control their privileged accounts

Reports surfacing this week about a 2009 deep dive by Chinese hackers into Coca-Cola IT infrastructure that potentially scuppered a huge merger stand as evidence once again that enterprises need to be better at enforcing the rule of least privilege, security experts warn. If reports from BloombergBusinessweek hold true, the 2009 attack against Coke follows a remarkably familiar script, as attackers sent malware-laden spearphishing messages to company executives, owned their machines, and leveraged privileged accounts held by the victims to gain further access into the network.

"Privileged accounts have emerged as the primary target for attackers -- if you examine some of the most spectacular breaches of the past few years, they all have a privileged connection," says Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark, pointing to other attacks against Global Payments, the U.S. Chamber of Commerce, and the Utah medical records breach. "Hackers gain access to administrative and privileged accounts -- once inside, they elevate privileges to gain access to additional servers, databases, and other high-value systems."

And yet many organizations fail to even assess the risk that elevated rights on endpoints and privileged accounts for network resources pose to their businesses. A survey conducted by privileged management vendor Viewfinity this summer found that 68 percent of organizations didn't even know who had local administrator rights on their machines, a configuration vulnerability frequently used by spearphishing attackers to start attacking the network from the proverbial side door.

According to Bosnian, part of the problem of runaway privileges in the enterprise is that many organizations have too narrow of a view of what exactly a privileged account really is.

"The common belief is that if you're managing the user names, roles, and privileges of your IT employees' personal accounts, then you're successfully controlling all privileged accounts and access," he says. "Whether they're called hard-coded passwords, admin passwords, or privileged accounts, they're all privileged access points that provide a direct -- and often anonymous -- route to an organization's most sensitive data and infrastructure."

By rights, adherence to the rule of least privilege -- or the maxim that no account should ever have more rights authorized to it than necessary for a user to get his job done -- should be the No. 1 driver for identity and access management, says Marcus Carey, security researcher for Rapid7.

"This is critical because limiting privileges is an excellent way to limit the spread of malware once network resources are compromised," he says. "However, the principle of 'least privilege' is one of the hardest information security tenets to maintain. It is nearly impossible for large enterprises to manage this without identity and access management."

[Hackers fixate on SQL injections -- CSOs, not so much. See The SQL Injection Disconnection.]

Of course, IAM products alone can't do much to enforce the rule of least privilege. It also takes coordinated effort to focus automation, policy, and teamwork into the right direction. For example, frequent access reviews are important to prevent privileges from creeping upward, says Jackson Shaw, senior director of product management at Quest Software, now a part of Dell.

"Embrace an access review policy and regular, automated access alerts that notify two or more administrators of access changes, employee changes, or other critical issues," Shaw says. "Notifying more than one administrator helps overcome negligence. To prevent access creep, access privileges must be dynamically linked to human resources and staffing databases."

Similarly, best practices should drive IAM implementation choices that lead to restrictions in privilege authorizations that lead to a least privilege posture, Shaw says.

"Some of the most common implementation options to help get to a least-privilege state include assigning appropriate access directly to users based on well-defined roles, limiting access to administrator and root accounts, and making sure that the passwords to these accounts are not shared, are changed frequently, and that there are controls in place to limit and track their use," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jay O'Donnell
50%
50%
Jay O'Donnell,
User Rank: Apprentice
12/10/2012 | 6:48:55 PM
re: Build Roadblock For Attacks Through Rule Of Least Privilege


Interesting
read - It is true enterprises must put forth extra effort to ensure hackers
cannot access privileged accounts. It is important to track employees from
their first day to their last day, including any changes in responsibility
that happen in between, thereby ensuring that they never have too much or too
little network access. The N8 Identity Employee Lifecycle Manager (ELM)
software solution simplifies this process while delivering compliance at
every level . I'd be interested to hear what you think:
http://n8id.com/our-offering/e...


Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.