All those who use computer systems are granted privileges which determine the level of access they have to those systems and the data they contain. Some users are granted wide privileges and are known as privileged users. Clearly, once one of their credentials is compromised, it's an "Open Sesame" for hackers keen on searching for the family silver.
Too often, though, people tend to think these privileged users are organisational insiders with a clear understanding of their roles and responsibilities relating to network security. Of course, if one of these insiders goes rogue, or their credentials are compromised, they can certainly be a source of much damage.
But, the potential vulnerability is much broader and it's not fully recognised by system administrators and security officers. Experience shows that third parties with privileged access have actually been the source of some of the biggest breaches caused by the compromise of privileged users. These third parties could include vendors, contractors, business partners and others who have been granted privileged access to corporate systems.
VIP
For example, several major breaches in the US were caused when an authorised third-party user's credentials were compromised and used to penetrate the network and its resources, illicitly. Compromised third-party credentials were used in the widely reported breaches at Target, Home Depot and the US government's Office of Personnel Management.
Today's integrated value and supply chains are one driver for expansion in the universe of privileged users. Another is the embracing of technologies like virtualisation and migration to the cloud.
When it comes to the cloud, part of the danger lies in the growth of 'shadow IT'. What happens when individual business units bypass the corporate IT department to access cloud services independently? This creates a whole category of privileged users of which the IT and security departments have no knowledge.
Even more disconcerting, some privileged users might not be human. In both cloud and virtualised environments, automated configuration and provisioning tools driven by scripts and programs have introduced even more 'users' with significant access to, and authority over, large tracts of infrastructure. In a similar vein, over the years, growing numbers of scripts and programs are added, each requiring administrative or sensitive access to databases or other applications and systems.
Access by these tools, scripts and programs is controlled by authentication. Unfortunately, the authentication credentials are typically hard-coded into applications or configuration files, where they present an easy target for malicious users, whether insiders or outsiders.
Even more disconcerting, some privileged users might not be human.
Companies need to identify all the accounts with privileges and the credentials associated with them. These credentials are the nexus of risk, because they are exploited by hackers.
Four steps to breaking and entering
Gain access. Having successfully hijacked a user's credentials, the hacker will enjoy the same level of access. Hackers use social sites like LinkedIn to identify and target individuals within a company, who are likely to have privileged access. Increasingly sophisticated spoofing or spear phishing (e-mails that appear to be from a recognised organisation) can now fool even experienced people into handing over credentials.
Elevate privileges. The next step is for the hacker to elevate the privileges of the hijacked credential, typically by compromising other privileged credentials. The hacker can use his extra privileges to prevent his existence and activity being observed by altering or disabling logging software, or by using malware.
Perform lateral movement and reconnaissance. It's highly unlikely that a hacker will be lucky enough to have entered into the part of the system with the data and applications that most interest him. These would typically be card-payment processing systems, proprietary data, personnel records and the like. Having obtained extra privileges, the hacker can now begin to explore the system to discover where the targets are located, and gradually gain access to the relevant systems.
Do it again. Having found one target, the hacker can just keep on trawling through the system in search of the next. As many public breach reports show, hackers can spend months and even years carefully exploring a target network to find their targets and achieve their goals - be they disrupting systems, stealing data and so forth.
That's the challenge. In my next Industry Insight, I will explore how to combat it.
Share