“On the strength of one link in the cable, dependeth the might of the chain.
Who knows when thou mayest be tested? So live that thou bearest the strain!”
This is the fifth and best-known stanza in a poem called “The Laws of the Navy”. One of many required things to memorise at the United States Naval Academy it’s one of the few things I still remember from my time there two decades ago.
While security threats come in all shapes and sizes - zero-day exploits, SQL injection, or malware to name but a few - the most damaging data leaks are related to the abuse of insider credentials.
The massive release of financial information from the Panamanian law firm Mossack Fonseca was a result of an anonymous inside source with database access sending 11.5 million banking documents to the German newspaper Süddeutsche Zeitung. The US Office of Personnel Management [1] and Anthem Inc (a medical company where the personal records of over 78 million patients were potentially stolen) attacks were related to outsiders obtaining privileged user credentials rendering encryption of data ineffective.
These leaks demonstrate not just financial gain as a motive but also ‘ethical’ grounds (e.g. Edward Snowden) or just plain revenge (Ashley Madison). Disgruntled employees and leavers can be tempted to take data with them. Knowing the motivations for insider attacks can allow a measure of preparation for where to implement controls and look for potential data loss.
Privileged Users
There is no one silver bullet that can eliminate the risk posed by malicious or even negligent insiders. But the most obvious controls to consider are provided by privileged access management. In many cases, system administrators were able to walk away with information without prevention or detection. Some, such as the AT&T breach, were even able to intentionally install malware.
To reduce the risk, consider controls that limit the commands that super users or administrators can employ, as well as privileged session management that monitors or records activity. The threat of prosecution can be a deterrent to malicious acts.
Data loss prevention techniques can also detect data loss and act as a control but should be augmented, for example by using group policy to block the use of USB ports.
There is also the threat of outsiders obtaining legitimate insider credentials and abusing those privileges. One method to reduce that risk is to employ two-factor authentication for access to sensitive information and intellectual property. If a user falls victim to a phishing attack or has their credentials compromised through social engineering, the attacker will still have to obtain a second factor such as a biometric input or a device that the user possesses.
All organisations should have an effective Identity Governance programme in place, not only for compliance purposes, but to reduce the risk of excessive system access. If an inside attack happens, minimised rights can minimise the potential damage by reducing the effective attack surface of excessive credentials.
A regular collection and certification of entitlements should highlight access that falls outside of policy and govern the process of revoking that access.
Executive Privilege
Organisations need to rethink their concept of privileged users. IT security professionals typically define privileged users as admins with broad access to sensitive information. But executives are also privy to sensitive information, and they wield an authority that other privileged users don’t have. Employees are unlikely to question this authority.
Unchecked access and authority are a risky combination that attackers can use to their advantage in a technique called Whaling.
Yes, recognising that executives are privileged users is only the first step. You also need to realise that executives are like most end users: they are focused on doing their jobs. If security controls and policies prevent users and executives from being productive, they’ll find a way around the controls and policies.
However, if executives understand what’s at stake, they are more likely to abide some security controls—especially if the controls are virtually invisible. For example, unobtrusive user monitoring [2] can identify outsider abuse of insider privileges, thereby reducing the abuse window if hijackers acquire executive privileges.
Multifactor authentication [3] (MFA) that’s easy to use, such as thumbprint readers, can also provide a convenient and effective security measure. Just remember: the less restrictive and more convenient the security solution, the less likely it is that executives will circumvent the solution’s policies and controls.
| What is Whaling?
Whaling, a form of spear-phishing, is identity theft by use of a social-engineering scheme where the ‘attacker’ assumes the persona of a person in the organisation being attacked. In the case of Whaling it is a senior or C level executive whose identity is exploited and the use of seniority to force junior staff to release important data. Usually Whaling attacks start by emails being sent from spoofed or disguised domains purporting to come from the CEO or CFO requesting the supply of information. It is a technique increasingly being used. Notable companies to have suffered Whaling attacks include Mattel, Seagate and Snapchat. Mattel lost $3M in 2015 and in the case of Snapchat a request purporting to come from its CEO resulted in the release of all staff payroll information. The Seagate attack had the same result with all US staff payroll information being stolen. Go to http://www.csoonline.com/article/3048263/security/phishing-attacks-targeting-w-2-data-hit-41-organizations-in-q1-2016.html to see a fuller list of the organisations that have been compromised in this way . |
Password Issues
While the Panama Papers were a wake up call to pay closer attention to insider threats, recent developments have highlighted that simple passwords are not adequate defence. This year’s Verizon Data Breach Investigations Report [4](DBIR) released on 26 April, states, “63 percent of confirmed data breaches involved weak, default or stolen passwords.”
Two days later version 3.2 of the PCI-DSS standard was released [5], which now mandates multi-factor authentication as a requirement for any personnel with administrative access to credit card data. Passwords alone are not considered secure enough to verify the administrator’s identity.
This begs the question why MFA isn’t already more widely adopted. As users and industries have been slow to adopt, it’s obvious usability is an issue. A healthcare worker trying to save a patient’s life is justified in not wanting to have to open up an application on her phone to access a one-time password (OTP) that will expire in a few seconds.
Cost is another challenge. Biometric readers or tokens are expensive at the scale required for use by large organisations.
To get around cost and usability issues, many organisations will apply different MFA technologies for different uses. The police officer in a patrol car probably will use an OTP application on his smartphone, while access to an FBI data centre might require biometrics, and a terminal at a field office might mandate the use of a smart card, all in addition to a PIN or password. This allows a balance between cost and usability that fits the security policy.
However, employing diverse MFA technologies and installing disconnected pockets of authentication introduces the likelihood of unevenly applied security policy, and the risk associated with those blind spots. Therefore, a centralised policy management platform for authentication is critical when implementing MFA. While it is no panacea, it can reduce those data breaches caused by weak, default or stolen passwords.
Ultimate Solution?
Has any security control has ever proven to be 100 percent effective? Even networks with an air gap to the Internet are vulnerable to malware on a USB memory stick given to an employee (but this can also be checked).
Similarly, while MFA will present a harder target for password pirates, what possibilities exist in a “what could go wrong analysis?” What risks remain that should at least be considered for further mitigation?
Here are five (surprising) examples of situations where MFA may fail in preventing outsiders from getting in:
- The Outsourcer. A member of staff who willingly passes on his credentials. There was recently a developer in the USA who secretly outsourced his job to China at a lower cost to free up time for his leisure pursuits. This included passing his two-factor VPN authentication credentials so that the outsourcee could access the employer’s network.
- The Helper. Biometrics provide a way of demonstrating something you are in the three factors of MFA, but what happens when someone has their hand in a cast and can’t submit a thumb or hand print? Or how about the persuasive or harried worker who “left their key card at home?” There is a real possibility that a security guard or a co-worker is going to help them out.
- Redirection: One time passwords used as a tokens via a mobile app can be intercepted through the use of malware. SIM cards can also be spoofed. With increasing vulnerabilities on mobile devices being found this is a growing possibility.
- The Sharer. Verification codes sent to a user’s mobile phone via SMS for password resets can be obtained simply by asking the user to forward the code when the attacker follows up with an official sounding text that requests the verification. Research has shown that this is highly feasible, that people accede to quite frequently.
- Synchronisation: Mobile to desktop synchronisation services are increasingly popular, but they can also compromise security if one or other platform is infected by malware. Once one device is compromised so is any MFA that depends on it.
Each of these examples (and more are sure to arise) can be mitigated with different approaches. Since most relate to people behaving in an insecure manner, education is one obvious method for mitigation.
Given that there are at least three factors possible in MFA, adding more complex access controls is another approach, but the inconvenience for users has to be considered.
What should also be considered is that eventually a determined attacker will find a way to compromise credentials. Therefore, we must not only control access but monitor what users are doing with their access, looking for abnormal patterns that would indicate an attack in progress.
This concept of merging user behavioural analytics and security analytics with identity analytics is in its infancy, but provides the possibility of preventing or limiting damage from compromised credentials.
Like all security measures, there is no silver bullet to completely secure against the wilful, negligent or outsider abuse of credentials. But understanding the risks and limitations of the approaches is the first step towards mitigation.
Articles referred to:
- http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/
- www.netiq.com/solutions/identity-access-management/monitor-privileged-users.html
- www.netiq.com/products/advanced-authentication/
- http://www.verizonenterprise.com/verizon-insights-lab/dbir/
- http://blog.pcisecuritystandards.org/pci-dss-32-is-here
This article was first published in OHM Issue 34, 2016/3, p5-7