- Security TWENTY
- Women in Security Awards
IT security software man Calum McLeod of Lieberman Software on the Edward Snowden affair.
At the time of writing I’m not sure if Edward Snowden is still sitting in a Moscow transfer lounge or settling in to his “luxury apartment” in a barrio in Venezuela. Regardless of where he is, I’ve become relatively blasé when it comes to hearing about yet another security breach, or of stories that Big Brother is watching us. It’s almost like a traffic policeman going to the press and saying that speeding fines are a money making racket! As if the average person in the street is going to be surprised.
And the rather predictable shock and protests from certain EU governments that the US government was eavesdropping is really a case of the pot calling the kettle black. For those old enough to remember the last century, the French government admitted to being actively involved in extensive international spying to try and give French companies an advantage in the international market. So it seems that when the French President Francois Hollande said allegations that the US bugged European embassies could threaten a huge planned EU-US trade deal, and that there could be no negotiations without guarantees that spying would stop immediately, he seemed to conveniently forget that the French government have been doing this for years. Maybe he just didn’t like the idea of a level playing field!
In fact one of the earliest examples of industrial espionage goes back to the beginning of the 18th century with the French stealing porcelain manufacturing methods from the Chinese. What goes around comes around as they say. During the early 1990s, France was described as one of the most aggressive perpetrators of industrial espionage, and it seems like the Americans and the French have been having a ding-dong battle for years. And it’s not just these two countries that have either been suspected or even caught red handed – they’re all pretty much at it. In fact the Chinese government must be enjoying this period of relative tranquility since they’re usually blamed for everything.
So spying is not really news, and neither is yet another “insider” abusing privileged access to steal confidential data from IT systems.
According to NSA Director Keith Alexander, Snowden reportedly “fabricated digital keys that gave him access to areas way above his clearance as a low-level contractor and systems administrator.” Now I’m sorry, but anyone stupid enough to decide that an airport was the place to settle down cannot be that clever. Or maybe he thought that having seen the Tom Hanks movie “The Terminal”, he’d have a Catherine Zeta Jones moment and try the chat up line “Would you like an eat to bite?” Who knows, but anyone who has the slightest understanding of digital keys will know that you don’t just simply fabricate them.
By now you would think that every organisation, whether governmental or private sector would have realised that protecting passwords and keys is an absolute essential. Additionally technology that monitors the activity of systems administrators has been around for years.
The problem frequently starts with the failure of organisations to know where the accounts are throughout the infrastructure. For example all your Windows systems have Service Accounts, Scheduler Task Accounts, COM+ Accounts, IIS6 Metabase Accounts, IIS7 Accounts, etc. It’s not just simply the Administrator accounts. A typical example of how easy it can be to circumvent policies is what happens when IT Support departments are pressed to solve a problem. Take for example a situation where a user is unable to gain administrative access to their systems. The workaround is to call the IT Support department, who will have a solution. Very often IT will have set up an account that allows Admin access to every machine, and once this is given to the user, unless it is immediately changed, the user has unlimited access. And more disturbing is the question, who is the IT Admin! However the same organization will most likely have spent a fortune on perimeter security, blocks loads of malicious websites, and constantly reminds its staff of the dangers of malware!
What this shows is the massive risk that organizations are faced with if they do not control access to Privileged Accounts. In the case in point, not only should the IT Support Department have required an audited approval process to gain access to the “backdoor” password, but once accessed it should have immediately been changed.
Passwords and keys
Regardless of who you are, any security credential needs to be managed. It starts with Privileged Identity that provides the access to a plethora of the “keys to the kingdom”. Without properly managed and secure control of the credential that gives privileged access, everything underneath becomes vulnerable. As in the example of the NSA, it would appear that badly managed passwords and keys gave Snowden the access he needed to discover SSL keys, SSH keys, Symmetric keys, and other passwords.
Having good processes for your SSL, SSH and Symmetric is all well and good, but ultimately flawed if you don’t control your privileged accounts. As in my own case, one privileged LDAP account opened up my whole world, and it may very well have been that Snowden simply asked the NSA IT Support department to enable him to install or uninstall something on his laptop!
So what are some simple and practical steps you should be considering:
• Ensure all privileged accounts are locked down and remember that we’re not simply talking about Admin or Root!
• Always rotate passwords immediately after use for any shared accounts, especially if the same password is used on multiple systems
• Control access to privileged passwords, including service accounts and enforce an audited check-in/check-out policy
• Encrypt all keys or passwords that are stored in repositories with an approval workflow to allow access
• Try wherever possible to avoid using the same password across multiple systems, and change passwords on a regular basis, especially when staff move
• Whenever possible ensure that keys and passwords cannot be reused
Finally my advice to Mr Snowden would be to watch another Tom Hanks movie called ‘Castaway” since that may be his safest bet as far as a good location goes, and maybe Mr Hollande will want to check the origins of the word espionage! Always good to count the cost before you start something!