by John Worrall
We’ve often referred to privileged accounts as the “Keys to the Kingdom” given the wide ranging access they provide. But are privileged accounts the “Key” to your car as well? Maybe, if you drive a BMW. Nick Barron posted an article in SC Magazine UK this week demonstrating why this may be the case: BMWs: Gone in 60 keystrokes – SC Magazine UK.
For BMWs new “keyless” cars, there is an administrative function that allows mechanics to service and repair the car. It also provides them access to the information needed to initialize a new key. Seems odd, but so far, it’s not a real problem. Unless, of course, that same function is available to anyone, and not just to your trusted garage mechanic. To make matters worse, the car alarm couldn’t detect the tampering. Car thieves have a clear shot.
This is a perfect example of what commercial and government organizations face with their IT-based resources. Certain “privileged accounts” are built into nearly every IT product to allow authorized administrators to service and repair the systems. Used properly, and by trusted, authorized people, they present no problem. But of course, in malicious or careless hands, these accounts can cause catastrophic damage.
Best practices are emerging around a three-stage approach to managing these potential vulnerabilities. First, protect the credentials to these accounts, so only authorized users can access them. Next, add accountability. Ensure that every time a privileged account is used, you know who the specific user is, what they did with the account and why they did it. Finally, provide real-time intelligence on how these account are being used so that any potential misuse can be addressed immediately, and not after the damage is done.
Using the BMW example for the purpose of illustration, here’s how it might play out if proper privileged account controls are in place. First, access to the administrative function would be limited to authorized personnel only. Every action taken using the account should be recorded, with the owner being able to review exactly what work was done, which mechanic did it and why. And of course, a real-time alert on the car owner’s smart phone telling them that the key was cloned would be very helpful in trying to catch the thief before they drove away with the $60,000 car.
I realize I’m ignoring many realities of cars and mechanics, of which I know very little. But it’s a great way to think about the privileged account problem in our IT infrastructure. Protection. Accountability. Intelligence.