Addressing the Dangers of Root Access Approaches and Shared Passwords
By: Matthew Vulpis
Originally published in InfoTech Spotlight
As nearly every enterprise is expanding its digital architecture, the management of multiple clouds and operating systems, distributed and variable applications, and versions across all are becoming increasingly hard to do. The more systems and applications, the greater the complexity.
It is not unusual to find an organization running HP, Red Hat, Linux, IBM
mainframes, various Windows servers, and new open-source operating systems, along with the usual suspects.
IT is hard enough, especially now that they are also dealing with a steep rise in remote workers and having to work themselves remotely. How is it possible for stressed-out IT and OT teams to provision and manage every endpoint on the network – and every privileged user?
How can the C-Suite, including the CISO and compliance department, understand and control who is doing what, on which server, and why?
Out of frustration, or based on limited resources, and given the uncertainty today, IT teams have naturally resorted to using privileged accounts, with a single password shared by all administrators to those systems.
Makes sense – right? With a common password, every admin knows the root password for all servers and can log in to any of the servers to perform any task.
But experts caution that this creates an unacceptable level of risk and can lead to major compliance violations, especially given increasing and increasingly sophisticated threats.
We caught up with Ali Gomulu, an expert in this area, and a Solutions Architect at Ironsphere (a Privileged Access Management solution provider), to learn what he is seeing in this “next normal” environment.
“Applications and systems with privileged access can do more harm than good, should an insider turn malicious and go rogue,” Gomulu explained. “This unacceptable risk exists for any organization in which privileged user passwords are shared.”
Gomulu described a typical scenario where root, administrator, super user, and domain admins have unlimited access when given privileged accounts. “While we all wish to trust colleagues, we are now in a Zero Trust world, and with multiple users using the same account ID and password, there is zero accountability. In this setting, privileged accounts threaten the organization because these accounts can lead to exfiltration of personal data, the completion of unauthorized transactions and can lead to catastrophic events, including denial-of-service attacks. We’ve even seen cases where a super user takes nefarious actions, then hides that activity by deleting audit data.”
Until now, Gomulu explained, it has been difficult to impossible to automate this and centralize, especially in large organizations that are often decentralized.
“The benefits of automation—savings of time and reduction of errors—are obvious, but until now, doing customized coding to unify has been costly, complicated, and impractical. We have been developing frameworks for years to automate and simplify having to manage across so many disparate parts, but our clients understand the urgency: generic administrative IDs and password sharing create disasters ready to happen.”
Gomulu says the demand is being driven by an array of compliance legislation, including GLBA, HIPAA, PCI, SOX, and others, mandating the enterprise be able to prove they have control over their privileged users by tracking everything those users do. Failure to comply can lead to hefty penalties.
“The use of all privileged accounts must be audited on a regular basis, and the audit logs must reside on a separate computer from the one being audited, so the privileged user does not have rights to change the stored audit logs,” Gomulu said, “but when a motivated bad actor understands the value of what he or she may steal or enable an outsider to steal, they have found workarounds and have altered records.”
With advanced PAM technology, it is no longer necessary for any user to know the root password, which is driving the popularity of least privilege, which means that for each task or process, the administrator is granted the minimum rights required to perform the current task.
“Given the current environment, the number of attacks and sophistication of adversaries, and given human nature, privileged user malfeasance will grow,” Gomulu concluded. “Managing privileged users in heterogeneous IT environment is a big problem worth solving. CISOs and their IT/OT teams can no longer afford to manage their privileged user accounts manually.”
One way to go about solving this is through advanced password management; without a software solution, using shared passwords makes changing/rotating passwords very difficult, as some team members might lose access, or they need to be notified before changes. Enforcing and managing a company-wide password policy is a huge task without automation, Gomulu said.
“Within the PAM space, there are two architectural approaches to this: the proxy approach (man-in-the-middle) and the agent approach. These approaches are based on where the point of control is. With the proxy approach, the solution is placed between the users and the servers in a network, and all traffic is funneled through the proxy. With the agent approach, the solution is installed on individual servers.”
There are a few trade-offs with these scenarios. The proxy approach is faster to deploy in large networks; according to Gomulu, “it is easier to maintain and operate and adds no resource overhead on servers. The agent approach provides more in-depth/granular control on servers and provides a more reliable point of control. Most organizations benefit from having access to both software solutions.”
As Attacks on Infrastructure Continue to Intensify, Cyber Security Leaders Call for Further Investment
This past week Colonial Pipeline company, which operates a pipeline that carries gasoline, diesel fuel, and natural gas along a 5,500-mile path from Texas to New Jersey, was forced to take itself offline after being attacked by a criminal cyber gang. The Colonial Pipeline, which carries 2.5 million barrels a day, nearly 50% of the East Coast supply of diesel, gasoline, and jet fuel, is still working to restore service and gain access to its systems after the malicious cyberattack while its four mainlines remain offline.
As Infrastructure Week Begins in the US, A Massive Ransomware Attack Drives the US Government to Enact Emergency Legislation
The US government issued emergency legislation earlier this week after the largest fuel pipeline in the US was hit by a ransomware cyberattack.
Buy it Wholesale, Sell it Retail: How MSPs and MSSPs can Benefit from Multitenancy Cyber Security Solutions
Managed Service Providers (MSPs) and Managed Security Service Provider (MSSPs) have a stressful job. They must provide cybersecurity solutions to their clients, protecting them from a broad and growing range of threats, and ensure their customers’ networks, equipment, data, systems, people, and reputations are insulated from malicious forces.