Security Management: The Scary New Hacking Trend

You can mitigate the risks of falling prey to a disturbing new trend in hacking, but you have to be prepared.

Phil Lieberman

Operation Aurora was the brazen 2009 cyber attack on Google and other large enterprises. Recent high-profile data breaches shut down certificate authority DigiNotar and VeriSign. Hackers have learned to exploit a frightening and frequently ignored lapse in network security to gain control of victim networks.

In hindsight, it’s always easy to determine what should have happened. Today it seems clear the criminals behind these recent high-profile cyber attacks weren’t necessarily computer geniuses—just good opportunists. They were able to exploit human nature and then abuse an open door they knew they’d find.

These hackers use creative tactics such as highly targeted spear-fishing e-mails that lure unsuspecting users to open a malicious attachment. Then the hackers deploy zero-day malware onto a user’s computer. From that single computer within an organization, attackers can then exploit weak, shared-privileged accounts to take control of systems throughout the victims’ network, map its infrastructure and extract sensitive information. It’s a simple but highly effective strategy.

You can find potentially vulnerable privileged accounts practically anywhere within your IT infrastructure. They’re on host computer OSes, network appliances and backup systems, and in line-of-business (LOB) software. You can categorize privileged accounts in three primary groups:

  • Super-user login accounts: IT uses accounts to configure, run and install applications; change system settings; handle routine administrative duties; and perform emergency repairs.
  • Service accounts: These accounts require privileged login IDs and passwords.
  • Application-to-application passwords: Web services, LOB applications and custom software use these passwords to connect to databases, middleware and so on.

The passwords controlling access to privileged accounts are the primary obstacle standing between hackers and your organization’s private data. However, all too often, these credentials are not adequately secured, monitored and audited.

The Risk of Privileged Accounts

Privileged accounts aren’t even recognized by Identity Access Management (IAM) systems. Consequently, most organizations have no automated way to manage these powerful accounts.

Today’s IT security regulations—mandated by government and industry groups alike—require that you frequently update privileged account credentials and audit their use. Yet updating these accounts with scripts or by hand is often too time-consuming and error-prone to be practical.

To further complicate the process, manual changes can cause service outages if you don’t sufficiently account for interdependencies between different privileged accounts. Therefore, many organizations simply ignore the problem.

Unfortunately, the security risks introduced by weak privileged account security don’t stop at the door of your datacenter. More of the shared services your organization uses—including cloud services, certificate authorities and financial service gateways, to name a few—have recently been exposed as having weak or nonexistent privileged account security.

To a hacker, shared, cryptographically weak privileged logins used by service provider staff are an incredibly attractive target. This is especially true when you consider that in these types of environments, a single compromised login can expose the private data of scores of corporate customers.

Secure the Keys

While it might seem like a daunting prospect to secure your privileged accounts, you can start to take control with three simple steps:

Step 1. Find the Keys. Carry out a top-to-bottom audit of your entire network to determine exactly where your privileged accounts reside. This should include identifying whether the logins are sufficiently unique and complex, and whether they’re changed often enough to be secure. Tracking potentially thousands of privileged logins in a typical datacenter is no easy task. There are effective solutions that can provide point-in-time privileged account audits to qualified organizations, usually without charge.

Step 2. Lock the Doors. You should deploy the basic automation necessary to close any discovered security holes. There are cost-effective solutions that can not only secure these accounts on large networks, but do so in hours or days, instead of months.

Step 3. Secure the Windows. There’s no point securing your network if you leave critical external elements vulnerable. Demand that your key business partners—including cloud services providers, certificate authorities and others—demonstrate that they’re in compliance with meaningful mandates like the Consensus Audit Guidelines.

Hackers have demonstrated they can penetrate any corporate network. In the past few months, the intruders seem to be gaining more of an upper hand. Word has leaked that perhaps four more certificate authorities may have been compromised in attacks similar to that suffered by DigiNotar.

Many organizations seem to be reeling from the severity of the situation. Some have responded with panic and confusion as they hurry to latch the doors while leaving the keys in the locks.

Your datacenter relies on privileged identities to function. That isn’t going to change. However, failure to protect these accounts will leave your private data exposed. You know about all the risks, but at the end of the day, it’s up to you to protect the keys to your kingdom.

Philip Lieberman

Philip Lieberman, founder and president of Lieberman Software, has more than 30 years of experience in the software industry. He has published numerous books and articles on computer science, has taught at UCLA and has authored many computer science courses for Learning Tree International. He has a B.A. from San Francisco State University. For more information, visit liebsoft.com.