“Having a central view of all system administration reduces the costs of forensic investigation and allows for a faster response to security incidents while improving the company's ability to answer tough audit questions.”
—Andras Cser, Forrester Research
You've invested in information technology and the associated infrastructure, applications, databases, and peripherals to assist your company in becoming competitive, ease administration, and satisfy reporting and compliance mandates. You've made decisions on physical servers and desktops. You've decided on what to virtualize for cost saving and improved capacity planning. You may have moved some of that infrastructure to a public, private, or hybrid cloud infrastructure. You've hired an incredible team of employees and implemented IT security solutions to keep hostile outsiders from accessing your mission-critical systems. You've passed most, if not all, of your IT audits and have certificates to prove regulatory compliance. But, are you confident that you've avoided the potential of showing up in the next Wall St Journal article on insider breaches? Have you prevented good people, trusted employees, from doing bad things, intentionally, accidentally, or indirectly?
Insider threats are a global phenomenon. Every company in every part of the world is subject to some level of insider threat. And guess what? Insider villains are just as unidentifiable in the UK as they are in the US. They appear just as innocuous in Poughkeepsie as they do in Perth.
If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally, or indirectly misusing that privilege and potentially stealing, deleting, or modifying the data. There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved. We've observed three types of situations where intent and action may be in question:
We have reported on several cases already in this book where an insider has done everything from almost nuisance-level harm to the very heights of catastrophic theft in the hundreds of millions of dollars range. We will also analyze more as we delve deeper into the best practices observed. We travel frequently to visit resellers, customers, and prospects around the globe to discuss least privilege for specific business, geographic, and system level requirement (physical, virtual, cloud-based computing platforms). What always amazes us on these trips is the general belief that insider threats are solely a US-based issue and that employees are completely trustworthy everywhere else.
Nothing could be further from the truth. In January 2011, an article at computing.co.uk reported “ICO fines former Direct Assist employee for illegally obtaining NHS data.” We're not sure if his action was matched to his intent, but clearly the results are the same.
It would be nice if every villain inside your organization walked around wearing a big sign that broadcasts “bad guy looking to do bad things,” but alas it is only in the cartoons and movies of Hollywood where you can always find the stereotypical bad guy: black top hat, curled black mustache, and sinister grin.
In real life enterprises, insiders look like you and me; just regular employees doing their job and collecting their paycheck. That's why “securing the perimeter within” is so important.
What are the boundaries within your extended enterprise (read: “the perimeter within”)?
Now that you have a better understanding of what the perimeter within looks like, we can move on to talk about the types of things insiders can do to threaten your security, compliance, and governance policies.
How many times have you heard the old proverb “after the storm comes the calm?” And how many times have you just accepted “storms” as part of life? From our point of view, these downpours aren't actually necessary.
We also find, from an enterprise point of view, that the best kind of storm to steer clear of is the security storm. Do we have to wait for a rough and tumble tempest that completely derails everything we're working toward? Absolutely not—we can prevent the loss of secure information and keep our businesses calm and running smoothly, thus bypassing the storm and going straight for the calm. Let us show you how.
To prevent a “storm” in your company, take a good hard look at your enterprise. Is there a measure in place to secure your sensitive information from being blasted for the world to read? Are your users all operating at the superuser level? Are you setting yourself up for a problem, or have you taken the steps to bypass any damage? The reason for this internal assessment is clear: all around us are unsettling reports of breached databases and purloined trade secrets. We're sure you've seen these intentional security storms: whether it's the Goldman code that was stolen, then sold, or the iTunes accounts that were hacked and up for sale…, both of these incidents point out how prevalent storms are in today's information security sector. But what is at the root of the problem? The answer is shocking. Many think its hackers, thieves, and malware vulnerabilities. While those can play a role, most breaches are caused by the abuse of admin rights.
Preventing security storms in your enterprise is easy. The answer is to take away the admin rights of all individuals who don't need them. Don't let them abuse their privileges; implement and practice a least privilege management solution. Give users access to information based on what is essential to their job. This will stabilize, secure, and streamline your system, thus preventing storms and allowing you to enjoy the calm.
Every organization has its own quirks. Sometimes leadership isn't involved enough for certain projects to be successful. Other times they're too involved. And sometimes it feels like everything is just too much of a mess. This is especially true when it comes to IT security and compliance across physical, virtual, and cloud environments.
It doesn't happen often, but when a CEO gets interested in IT security, often we're breathless. What do we tell her? What would the CEO ask about? CIO Update recently wrote on ten security questions your CEO should ask. So we wanted to put together the five questions you might be asked about administrative privileges and what your answers should be.
Q: Do you trust our staff?
A: Yes, of course! But we don't rely on trust alone.
Q: What processes are in place to protect these privileges?
A: Approvals, mitigated privileges, and keystroke monitoring.
Q: What are we doing to protect us from honest mistakes made by our own staff?
A: Oh dear, we do hope you can say that administrative privileges have been removed from desktop users!
Q: What are we doing to protect the cloud?
A: Enforced SLAs with our cloud vendors to follow the same policies we use internally.
A: Don't forget to plug the next project for which you need support and/or funding.
Isn't it amazing how easy it is to adopt bad habits? The crazy thing is that no one is immune; they plague each and every one of us. Whether we were taught incorrect practices or are just looking for shortcuts to make our lives/jobs/situations easier, each of us yields to poor patterns at some point in our lives.
It's when we allow these habits to interfere with the mechanisms keeping our enterprises safe that they become a huge problem. Maybe you think your actions won't matter because no one knows about them, or that your exploits won't affect the sensitive information within your company's database, or maybe it” just that you're not concerned enough to switch to correct principles. Whatever your reason for allowing bad habits to fester, it” time for a wake-up call! There's no room for these patterns in today's information security world. With cases like the Goldman Sachs debacle and the Vodafone incident showing how prevalent data leaks and cyber crime are becoming, it's time to shape up. But how can you take your bad habits and turn them into peace of mind? Start by kicking these four bad behaviors and you'll be well on your way:
If you find yourself on the path to a security breach because you're choosing to maintain bad security habits, make the decision to change today. Kick these habits and introduce peace of mind into your security plan.
Almost everyone has read the children's tale about the little girl who happened upon a house in the woods and went about discovering porridge that was too hot, too cold, and just right; chairs that were too big, too small, and just right; as well as beds that were too hard, too soft, and just right. It didn't end well when the bears came home to discover the intruder, but the lesson of extremes was forever implanted in your mind. Unfortunately, this lesson hasn't seemed to stick for most enterprises when it comes to security and compliance versus productivity and user friendliness (Figure 11-1).
When it comes to IT security, most organizations that we have interviewed fall into one of the two extreme camps of either:
Since you've continued to read this far into the book, we can only assume that you desire to achieve, or improve, your ability to satisfy both:
Delivering balance between security and compliance with productivity and ease of governance is a least privilege imperative. Setting privilege authorization based on set roles and policies facilitates an environment wherein fine-grained entitlements can mitigate the majority of privilege misuses discussed throughout this book. Let's take a look at how a specific organization found balance through least privilege.
The University of Winchester, located in Winchester, UK, was established in 1840. The university combines their strong heritage with innovative learning and teaching to educate over 5,900 students in 17 different departments with over 650 staff members each year. The University of Winchester promotes the importance of intellectual freedom, social justice, diversity, spirituality, individual importance, and creativity.
Ian Short, Applications Infrastructure Manager for the University of Winchester, is part of the IT management team responsible for the operation of the IT environment across the university campus. The university predominantly runs a Microsoft site. All of the back-end servers run Windows Server 2003 and 2008 within an Active Directory domain. Ian's department also supports over 1,500 Windows desktops on campus (all running Windows XP) that includes over 7,000 user accounts. Many of these desktops include laptops used by remote employees in various locations. In addition, Ian and his team are responsible for 120+ applications, with a number of extra locally installed applications.
The challenge of managing user privileges in an environment full of students is complicated enough, but the dilemma only increases when you account for required applications. The team universally understood that they needed to eliminate administrator rights in order to decrease malware attacks and increase security. However, they also knew they couldn't lock down the entire network because of the 120+ applications they manage. Originally, the university used Admin Studio to deal with specific issues, but found this solution to be too time-consuming and unreliable.
“It became clear that in our environment something needed to be done,” said Ian. “We were noticing a worrying growth in security risks and so managing user access became a priority.”
Implementing a least privilege solution offers a simple, centralized approach, which reduces the threat posed by malware and elevates only necessary privileges. It satisfies all security protocols to restrict access to privileged users to a least privilege model.
“With this solution, we were able to lock down our users' access while still allowing applications to run where necessary,” Ian explained. “It's the perfect solution for our IT needs. No longer are we required to ‘punch holes’ in our security in order to complete certain tasks.”
With their least privilege solution, the University of Winchester has completely removed administrator rights among their users, while simultaneously providing adequate rights to perform the tasks that students and staff need. Some of the key uses include elevating privileges for 8 multimedia packages in their multimedia center, 24 applications on their desktops, and around half a dozen Windows functions. It also has significantly decreased the amount of time Ian and his team spend on support issues, which has significantly reduced cost, as well.
Most of you already know that getting users to choose effective passwords is hard. This is particularly important to those of you looking to implement a least privilege solution that functions correctly, as you will need to accurately authenticate a user to know what access privileges to grant them. While new technologies for user authentication are on the way, they aren't here just yet.
There are several options today for improving user passwords, but they all have issues. Requiring users to choose strong password often leads to them writing theirs down a yellow sticky pad so they can remember it. Password rotation is standard defense against password-cracking attacks, but a recent Microsoft study suggests password rotation just causes people to choose easier-to-remember phrases as passwords. Biometrics are expensive and far from foolproof. Two-factor authentication should be the norm, but is perceived as expensive and inconvenient. Even if implemented, it's still susceptible to social engineering and phishing attacks.
So there are no easy answers to ensure a user is who they say they are. As with all security decisions, you need to weigh the costs of a solution versus the risks, but practically we recommend three things:
By now, you've seen the value of implementing a least privilege solution to establish boundaries instead of creating the proverbial security walls. This will facilitate not only a balance between security and productivity, but also assist with real-time governance changes across the ever-changing extended enterprise. Before we close the book, we'd like to offer a few key steps to success.
By now, you've figured out that we believe least privilege is a crucial component to IT environment security. Without it, over-privileged users can access (and abuse) sensitive resources and mission-critical information. Without it, under-privileged users can be so locked down that they are ineffective at doing their jobs without some level from the help-desk or management support to get past admin credential requirements. Protecting your data from insiders and their accidental, intentional, or indirect misuse of privileges is paramount to the success of your company's IT strategy. Let's hear what our experts think about that.
Governing an IT environment takes very granular attention to a lot of moving parts. It gets complicated, but having a well-defined plan mitigates most of the chaos that can come with sensitive data. As you know by now, least privilege is a necessity within that security plan. There are benefits that come from limiting access to mission-critical resources. We've talked about them throughout the book, but they're the driving reason that least privilege is in effect. To be able to centrally and efficiently manage a network of desktops, servers, and databases is paramount to the security of those devices. It's equally as important to prevent the risk of insiders destroying the delicate balance of a secured network, in addition to being compliant to federally mandated regulations regarding the protection of sensitive information. All these benefits are the result of least privilege, and are easily obtained by allowing employees access to only those resources they are entitled to based on their job descriptions.
As humans, it's very easy to fall into grooves. Some of these are good, and some of these are bad, but it's natural for us to create behavioral patterns. This is true in the IT world, as well; however, most of the habits formed tend to err on the side of bad. As an IT manager, it's a huge risk to allow people to run free among the resources I am responsible for. Even if people are the most trustworthy employees, accidents happen and inadvertent things come up. Privileges are misused, whether it's accidentally or intentionally, on a regular basis, and corporate security is too steep a price to be paid. Bad habits should not have a place in an IT environment, and least privilege is the way to counteract that. Users that don't need to run as administrators shouldn't, employees should never have access to the root password, and all activity should be closely monitored. The way to keep an enterprise secure is through least privilege.
The best thing about compliance is this: by implementing it, most security infractions are mitigated. Earlier in the chapter, we discussed security storms. These can be prevented if compliance is a priority in your enterprise. If an organization takes the time to plan and execute a security plan that preemptively allows for the avoidance of breaches of secured data, that company is in a much better place as far as security tempests go. The best way to get compliant fast is to implement a least privilege solution. By now, you're aware of what that is. By now, you understand how crucial it is to the protection of your mission-critical information. Letting users have full access to data they don't necessarily need is both irresponsible and in direct violation of regulations provided to protect your enterprise's greatest asset. It's easier than it seems, and such a principle makes logical sense. Give users access to information based on what is essential to their job. This will stabilize, secure, and streamline your system, and make your enterprise a compliant environment.