by Andrey Dulkin
Last week, we responded to a Slashdot question about designing SCADA with security in mind. I saw an interesting question today on the Ask Slashdot page about “How to prevent Snowden-style breaches.” The poster asked (paraphrased):
“The topic of dealing with insider threats has entered the spotlight in a big way recently thanks to Edward Snowden…Achieving a layer of solid protection from insiders is a complex issue; when it comes to protecting a business’s data, organizations more often focus on threats from the outside. But when a trusted employee or contractor uses privileged access to take company data, the aftermath can be as catastrophic to the business or organization as an outside attack…What do you think the best way is to lock down a system against malicious insiders?”
This is an astute question and is one we’ve based our business on answering. We’ve addressed the chilling words of Snowden and the lessons we’ve learned from the Snowden incident. In addition, when the NSA said they were solving the issue by establishing a two-person rule, we talked about why the problem is really about the unfettered access that privileged users have.
The Slashdot poster touches on the last topic – how to secure the enterprise against malicious insiders. Let’s put out this caveat – it’s almost impossible to protect yourself completely against a malicious, motivated insider that is committed to doing harm to your organization. That said, you can make the process so difficult and onerous that it’s nearly impossible for an insider to commit acts like Snowden, while making sure there is no way for them do so undetected.
That’s why any discussion of how to stop Snowden-style attacks needs to start with controlling and monitoring privileged accounts in real-time. As the poster acknowledges, privileged access provides broad access across systems, attacks carried out through these accounts are absolutely devastating. This is also why outside attackers specifically target these accounts.
If an organization is monitoring every time a privileged account is used, they have a greater opportunity to respond to malicious activity and mitigate potential damage. In addition to this, here are some specific things that could have been done to mitigate the Snowden-style attacks:
- Broad establishment of the least privileged principle – people should only have access to what they need to do their jobs.
- Administrators should not have operational access to the systems they support/maintain. They should be able to support and make sure systems function properly, but they should not have access to the application itself. This should always be protected and reserved for use by legitimate business users.
- All administrator activity needs to be monitored – every time a privileged account is used, it should be flagged, logged and recorded.
- Sensitive information should be stored in a secure manner – Snowden and insider like him should not be able to withdraw the presentations in the manner he did.
For a full list of best practices in controlling privileged access, check out the “APT Privileged Account Exploitation Report” from CyberSheath – the report outlines how privileged accounts are used in targeted attacks and provides some great advice on how to control access to these accounts. Because ultimately, it doesn’t matter where the attack starts (outside or inside), what matters is what the attacker does inside the network – and here they’re consistently using the same privileged account pathway.