Systems administrators are inadvertently helping malware wreak havoc on corporate networks by neglecting to expand device and identity-based protections to protect increasingly rich honeypots of business data, one security expert has warned.
The shortfall, Centrify vice president of product strategy David McNeely recently told CSO Australia, came as administrators failed to adequate manage user accounts that often – whether out of convenience or ignorance – provided far more access to system resources than they should.
“Most organisations have been spending money on firewalls, antivirus, intrusion detection and so on,” he explained, “yet the malware is still able to get in. A lot of times, administrative staff have been given full administrator access across every system on the network – and unfortunately the attackers know that's what they need to focus on.”
Attackers have shown great resourcefulness in stealing admin-level credentials, with companies like Linux Australia and Nissan hit by malware that steals user IDs and hashed passwords – which have increasingly become the focus of efforts to reverse-engineer hashes into the original passwords.
Some systems have worked to counter such attacks by providing fake passwords to hackers, but on a more accessible level McNeely said much of a company's exposure could be minimised if systems administrators were just more diligent about restricting the permissions they grant users – limiting them to just the functions and systems they need to do their jobs.
Ironically, IT support staff were often the biggest advocates of full-admin access: “It's just a function of the IT administrator's job in life to put out fires, and when you've got a burning problem you want to have all the tools necessary to go in and solve it quickly,” McNeely said.
“You don't want access controls to get in your way, and that's why it's easier for them to operate a full set of privileges. But in many cases, better security means granting a slightly reduced set of privileges, or maybe privileges granted just-in-time instead of being permanently assigned to your account.”
Mustering the will to enforce such policies was still beyond many sysadmins, even though survey after survey – including one as recently this month – confirmed that users are still terrible when it comes to password hygiene.
Such limitations were becoming increasingly important as companies invested in big-data and similar efforts that were concentrating large quantities of data – whether user-ID databases, or large quantities of business information – that was likely to be desirable for hackers to exfiltrate.
Companies could cut the exposure of such repositories by tightening the screws on internal access rights – for example, using MAC address filtering to limit the number of devices from which a particular login credential can be used – but many were still loathe to implement restrictions that could be seen as cramping users' access.
“Nowadays it's part of your defence mechanism, where you need to set up the least privileges necessary for you to do your job,” McNeely explained, “and that's where people have the most adjustment to make in terms of the administrative side.”
“Just because my Active Directory account lets you log onto any laptop in the entire organisation, doesn't mean there's a good reason for my account to be able to be logged in from my CEO's or CFO's laptop.”
One solution was to integrate single sign-on (SSO) capabilities within the corporate network, forcing devices and users to authenticate themselves – either explicitly, through SMS-based 2-factor authentication, or implicitly, with one-time software keys – as they travel between applications.
“We've gotten to the point where we can provide SSO to most of the applications and services on the inside of the company,” McNeely explained.
“We can make the initial login process more stringent to ensure it really is the user trying to log in; then we can give them a time-limited token that we can cryptographically prove came from an authority, and use that to provide access to other resources.”
Such an approach would also work to authenticate corporate users to Web sites and cloud services, although slow takeup by the majority of Web sites had limited this approach to “only a handful” of major sites,” McNeely said. “There is an enormous number of sites that people need to access but very few that know how to take this SSO token.”
Read more: New Sydney office anchors iSIGHT's Australian threat-intelligence expansion
Blast from the past?
Try our new Space Invaders inspired video game NOW.
What score can you get ?