With more network surface to defend than ever before and a never-ending supply of new threats, organizations are increasing security budgets to ensure the necessary tools are in place. Gartner forecasts that worldwide spending on IT security will grow to $93 billion in 2018. That’s an increase of more than $7 billion over 2017 figures.
Oftentimes, though, the critical element of access gets overlooked. Enterprises put pluggable authentication modules (PAM) in place and assume that’s an area that doesn’t need to be revisited. As the story below demonstrates, this is not at all true.
The CSO of a large company, Norm, comes into the office one morning and is greeted by Jill from cryptography, who comments that their IT admin, Lou, has been hard at work since about 5:00 a.m. This seems odd, since Lou tends to be a night owl. Jill says Lou requested access to the company’s latest build system, where they keep the code to a top-secret product that is about to launch. He also requested access to HR records and the customer payment information systems for maintenance purposes. His access credentials and keys were older, she says, but they still checked out, so she let him continue.
Norm shrugs and heads toward his office. He runs into Dale from Data Loss Prevention, who tells him that he’s surprised how hard Lou has been working this morning, transferring gigabytes of data around the network. Dale figures there must be a major update in the works, and Norm agrees that’s why Lou must have come in so early. Norm is impressed with Lou’s initiative to work off-hours, and he asks what kind of data Lou’s been transferring.
Dale replies, “I couldn’t tell you. Because everything is encrypted, we can’t see what kind of data is moved in and out of the system.” However, he tells Norm that Jill from cryptography said his credentials checked out, so not to worry. Lou is a trustworthy employee.
Yes, but…something’s not adding up. Norm stops by the office of Preetha, who’s in charge of Privileged Access Management, and asks if she’s interacted with Lou today. Preetha tells him that, in fact, Lou worked around her by using an SSH Key pair. Norm comments that this seems like a breach of protocol, but Preetha assures him that this type of thing happens all the time. She mumbles something about how she’s never bothered to check for new SSH keys after vaulting all the SSH keys on her first day of work. She could probably continuously discover SSH keys, but that seems like a lot of work…
A faint alarm bell is ringing as Norm arrives at his office and turns on his computer. His login fails; he realizes he’s forgotten his password again. As if on cue, his phone rings. It’s Lou, who is coughing and sniffling. He apologizes for calling so late in the work day, but—
Norm is glad to hear Lou’s voice, as he was just going to call him to get password help. Lou says he can help Norm but recommends that, going forward, he use the same password for everything; that way, he’ll never forget it. In fact, Lou has written his password on his computer screen at work so anyone can use his account to reset forgotten passwords when he is not in the office.
That faint alarm bell Norm had been sensing is now blaring at full volume. “Wait a minute – you’re not in the office?” Lou confirms this, explaining that he called to say he is sick and won’t be in today. “If you’re not here, then who is getting into all of our critical systems and moving massive amounts of encrypted data out of the network?”
Lou is confounded. He keeps the backdoor SSH key that bypasses PAM on his work computer – right next to his password. How could someone have stolen it?
Don’t Let Norm Be Your Norm
Though the names have been changed to protect the guilty, some version of this story has played out in enterprises around the world. For this story to have a different ending, Norm must realize there is no perimeter anymore, and an outsider can easily become an insider once perimeter security is breached. Every day, attackers find new ways to breach enterprise perimeter security through ransomware, malware or phishing through social engineering. A determined attacker can and will get in, so the security mechanisms you have in place to mitigate the damage will make the most difference.
Norm and his team need to be aware of these four modern realities:
- Once an attacker has gained access to your network, he or she can impersonate your employees and hide their activity with encryption. All internal and external traffic needs to be decrypted and inspected because encrypted traffic renders data loss prevention (DLP) and firewalls useless.
- A network can be breached in numerous ways, but the best way to spread the attack is through the theft of credentials like SSH keys.
- It is imperative to continuously monitor network environments for new SSH key deployments. Failure to do so can render any PAM system useless.
- The number one way to prevent credential theft is to use short-lived credentials, thus eliminating the need for passwords or burdensome and intrusive PAM systems.
The actions of the characters above are examples of what can happen when well-meaning employees are either ignorant of or have become lax about privileged access management best practices. Ignorance and complacency in this fundamental area of network security can lead to reputational and financial ruin. Keep the above truths top of mind as you plot out strategies for greater network security.
To learn how Best-in-Class organizations successfully protect their email and websites against phishing attacks, make sure to read Derek Brink’s latest report.
John Walsh is director of product marketing at SSH Communications Security.