Despite breaches, sysadmins still reluctant to tighten screws on device, user access

Systems administrators are inadvertently helping malware wreak havoc on corporate networks by neglecting to expand device and identity-based protections to protect increasingly rich honeypots of business data, one security expert has warned.

The shortfall, Centrify vice president of product strategy David McNeely recently told CSO Australia, came as administrators failed to adequate manage user accounts that often – whether out of convenience or ignorance – provided far more access to system resources than they should.

“Most organisations have been spending money on firewalls, antivirus, intrusion detection and so on,” he explained, “yet the malware is still able to get in. A lot of times, administrative staff have been given full administrator access across every system on the network – and unfortunately the attackers know that's what they need to focus on.”

Attackers have shown great resourcefulness in stealing admin-level credentials, with companies like Linux Australia and Nissan hit by malware that steals user IDs and hashed passwords – which have increasingly become the focus of efforts to reverse-engineer hashes into the original passwords.

Some systems have worked to counter such attacks by providing fake passwords to hackers, but on a more accessible level McNeely said much of a company's exposure could be minimised if systems administrators were just more diligent about restricting the permissions they grant users – limiting them to just the functions and systems they need to do their jobs.

Ironically, IT support staff were often the biggest advocates of full-admin access: “It's just a function of the IT administrator's job in life to put out fires, and when you've got a burning problem you want to have all the tools necessary to go in and solve it quickly,” McNeely said.

“You don't want access controls to get in your way, and that's why it's easier for them to operate a full set of privileges. But in many cases, better security means granting a slightly reduced set of privileges, or maybe privileges granted just-in-time instead of being permanently assigned to your account.”

Mustering the will to enforce such policies was still beyond many sysadmins, even though survey after survey – including one as recently this month – confirmed that users are still terrible when it comes to password hygiene.

Such limitations were becoming increasingly important as companies invested in big-data and similar efforts that were concentrating large quantities of data – whether user-ID databases, or large quantities of business information – that was likely to be desirable for hackers to exfiltrate.

Companies could cut the exposure of such repositories by tightening the screws on internal access rights – for example, using MAC address filtering to limit the number of devices from which a particular login credential can be used – but many were still loathe to implement restrictions that could be seen as cramping users' access.

“Nowadays it's part of your defence mechanism, where you need to set up the least privileges necessary for you to do your job,” McNeely explained, “and that's where people have the most adjustment to make in terms of the administrative side.”

“Just because my Active Directory account lets you log onto any laptop in the entire organisation, doesn't mean there's a good reason for my account to be able to be logged in from my CEO's or CFO's laptop.”

One solution was to integrate single sign-on (SSO) capabilities within the corporate network, forcing devices and users to authenticate themselves – either explicitly, through SMS-based 2-factor authentication, or implicitly, with one-time software keys – as they travel between applications.

“We've gotten to the point where we can provide SSO to most of the applications and services on the inside of the company,” McNeely explained.

“We can make the initial login process more stringent to ensure it really is the user trying to log in; then we can give them a time-limited token that we can cryptographically prove came from an authority, and use that to provide access to other resources.”

Such an approach would also work to authenticate corporate users to Web sites and cloud services, although slow takeup by the majority of Web sites had limited this approach to “only a handful” of major sites,” McNeely said. “There is an enormous number of sites that people need to access but very few that know how to take this SSO token.”

Read more: New Sydney office anchors iSIGHT's Australian threat-intelligence expansion

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags Linux Australiasecurity expertDavid McNeelybreachessysadminsCSO AustraliaSystems administratorsuser access

More about CentrifyCSOLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place