“Mama, I come to the valley of the rich Myself to sell”
She said “Son, this is the road to Hell” – Chris Rea
The past several months have been an unending nightmare for the US government and its allies, as one disclosure after another has caused unimaginable damage to relationships, and has potentially compromised Western security to an extent that we cannot even begin to imagine.
We all have our opinions regarding the extent to which government should be allowed to know what we are doing, or what our entitlement is to have full disclosure, but it’s probably safe to assume that the majority tend to assume that what is done, and how it is done, is ultimately for our own good. And the same holds true in business. We trust our employers up until the point that we discover that our jobs have been transferred to some offshore company, or have been outsourced to one of the many service providers who appear to offer investors the best ROI.
Although this article is primarily intended to look at the IT security implications of the Snowden and Manning affairs, the question that I believe needs asking is whether the incessant drive to reduce costs and increase shareholder value is ultimately resulting in the demise of our economies, and the destruction of our infrastructures. The days when employees could be sure of their long-term future are long gone. History shows that once any organization becomes dependent on outsourcing and off-shoring, will sooner rather than later cease to exist.
People Cost Less Than Technology
One of the trends over the past several years, has been the move to outsource the day to day operation of IT infrastructures. IT has traditionally been seen as a cost center, and by eliminating this cost, organizations stand to make more bottom line profit since they eliminate the costs of staff and infrastructure.
The competitive nature of the outsourcing business has meant that companies are having to offer bottom dollar pricing to win business, and they in turn try and reduce costs. Frequently work is subcontracted to countries where the labour costs are so low that organizations will not invest in automation technology because it costs less to hire an army of IT staff than it does to invest in the appropriate technology.
In many cases, work is carried out in countries where it is neither possible, nor legal, to carry out adequate security screening of staff.
Technology Often Flatters To Deceive
We live in a society where fame and fortune appears to be in everyone’s grasp. And the IT industry has very often been the victim of the corporate “get rich schemes” afforded by Venture Capitalists who will invest in technology companies with any eye to their eventual acquisition or public offering.
The result is that far too often, the technology doesn’t quite do what it claims “on the tin”. And we live in an industry where hype is frequently more important than substance, where marketing machines offer Nirvana when the reality is much more sobering, and where staff option plans offer instance gratification, and where far too often the investment is more focused on delivering a good looking dashboard rather than something that actually is useful!
As a result, most organizations end up going the “people” route simply because the technology is simply not fit for purpose. 2013 is the year of APTs, 2012 was BYOD, and who knows what acronym 2014 will bring, but one thing that the buyer can be sure of; whatever the latest hype will be in January, we can be sure that there will be hundreds of vendors claiming a cure.
Don’t Trust People, Especially Those You Don’t Know
Maybe I’m a paranoid cynic – I’ve been called worse- but I’ve never felt entirely comfortable with valet parking. Maybe too many movies where the car experienced severe trauma on it’s way to the garage; and I certainly would not hand a stranger the keys to my house when I’m on vacation. And yet senior management at organizations such as the NSA and many other government and commercial enterprises, seem to have no difficulty in handing strangers access to their livelihoods, and national security.
What the NSA has woken up to is that you cannot trust people, regardless of whether like Manning they’re one of your own, or Snowden who happily sold his heritage for a “mess of pottage” which in today’s world means one of the many global news stations and sites.
The fascinating thing with both these characters is not that they’re hacking geniuses, which I’m certain Edward’s new employers in Moscow are discovering, but that a lack of effective automated controls, allowed them to abuse their privileges. A five year can access sensitive data if they have the key.
Regain Control
The first clear step that the NSA has identified is the need to regain control, and rightly so. Today, like never before infrastructure and businesses are under attack. And they first point of attack is to attempt to gain privileged access to any part of an infrastructure. Once this is obtained, then the attacker will target any and all assets, regardless of their value.
To combat this threat, organizations need to automate the management of their privileged access, and this goes far beyond simply controlling an administrative account. Even in a relatively small infrastructure, there will be an inordinate amount of service accounts that have to be continually discovered, managed, propagated, and delegated access to. Service accounts cover services, tasks, COM/DCOM, SharePoint, scripts, embedded, etc..
Continual discovery cannot be emphasized enough. Once anyone is given administrative access to a system, it becomes a very simple task to create additional accounts that can later be used as back doors. Installing applications, or modifying system registries are also relatively easy ways to create backdoors. Continuous monitoring is absolutely essential. Additionally identifying accounts on systems is not sufficient. As the saying goes “garbage in garbage out”, also applies to managing privileged accounts. For example identifying how many accounts are defined, and removing unnecessary or unused accounts is a first basic step to ensure that potential backdoors are eliminated.
When it comes to privileged accounts, an organization can never completely expect to automate all processes, and it is necessary to implement rigorous password and key management. Automated one time passwords, including automated splitting of passwords to provide “four eyes” access controls is simply no longer an option. It is a must have in any large organization that deals with sensitive data.
Today we face unprecedented attacks on a scale never imagined five years ago. According to Mike Rogers of the US Federal Government’s House Intelligence Committee, “They’re taking blueprints back, not just military documents, but civilian innovation that companies are gonna use to create production lines to build things. They’re stealing that, repurposing it back in nations like China, and competing in the international market.”
We are not one global happy family befriending all and sundry on facebook and twitter. We are targets in a war between powerful and aspiring empires, both in the commercial and international sphere. We have enemies who are ingenious and are determined to win, and we must learn as quickly as possible how to protect and defend what we have worked so hard to create.
“You must learn this lesson fast
And learn it well
This ain’t no upwardly mobile freeway
Oh no, this is the road to Hell” – Chris Rea
Calum McLeod, VP of EMEA at Lieberman Software
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.