Inside attacks: The rogue administrator

Today, one of the most challenging cyber predicaments that organisations are faced with is that of the insider threat and how to protect against it. Whether it’s an employee that’s financially motivated and intent on stealing company data (just think back to the Morgan Stanley scandal when 83 million customers’ data was compromised), or a disgruntled ex-employee with an axe to grind, organisations must stay on top of how to prevent privileged users – those with the highest access rights to the corporate network – from doing things which are not allowed.

Whilst the vast majority of employees are honest and trustworthy, it only takes one ‘rogue’ employee to cause damage – and this can be particularly harmful if they are in a position of privileged access, such as a system administrator. These users have a remote connection to servers via their own desktops and by means of the protocols used, they can see other employees’ screen as if they were actually sitting in front of the monitor connected to the server, even though the accessed computer may as well be in another part of the world. As many large and multinational corporations today have a variety of data centres distributed around the world, remote IT resource access has become the de-facto standard. With very high or even unrestricted rights to operating systems, databases and applications, these “super users” have access to servers and could potentially manipulate a company’s sensitive information, such as financial and client data, or HR records.

Challenges

In many cases, IT personnel access the same privileged account and share the same password. This risk greatly increases when an administrator leaves the organisation or changes role, and the shared passwords are not changed. There are further risks: in a recent BalaBit survey of 200 IT professionals, nearly half of them admitted to having bypassed the IT policy and made exception rules in the firewall. Further, 29 per cent of respondents admitted to taking home company data and 25 per cent have looked into confidential files (for example, list of salaries). Most worrying, is the fact that 15 per cent have already deleted or modified system log files (in order to hide or destroy evidence).

Best Practices

So how do you minimise the potential for damage by an admin that’s gone ‘rogue’? Protecting the business from these insider breaches is not impossible but strong access policies and visibility of activities are key.

Firstly, it’s important to create granular access policies for privileged users including restrictions based on various attributes, such as time periods or group membership. These should take legal regulations and standards into consideration, and it is often worth treating users with privileged access separately. Each user, including privileged users, should only be granted the rights absolutely necessary to perform their duties. Even system administrators should only have access to those systems they absolutely need for business and operational reasons.

Ensure that named accounts are used properly for personal accountability; there needs to be careful assessment of users - other than named users - when and why these accounts are in use, and how such options can be eliminated. Should technical reasons justify the use of shared user accounts, it’s then important to investigate what solutions can help mitigate the associated risks. Where administrative users access the same privileged account, and passwords are shared, user password vaults offer a way to store credentials (for example, passwords, private keys, certificates). Credentials for accessing the server are retrieved transparently from the vault. This automatic password retrieval is crucial to protect the confidentiality of passwords as users never get access to them.

In terms of tracking activity, log management systems are not always capable of recording the actions performed by privileged users. It is possible to fill this gap with Privileged User Monitoring (PUM) solutions, providing detailed and traceable records. These can provide encrypted, digitally signed and time-stamped recordings of administrative sessions. The recorded audit trails can be used as irrefutable evidence to settle any accountability issues about the remotely administered systems which is in the common interest of both parties.

Csaba Krasznay, Product Manager of Shell Control Box, BalaBit