By Shlomi Dinoor
Is your Neuroprivilogy vulnerable? The answer is most probably yes, you simply have no clue what Neuroprivilogy is (yet)…
The first step of this discussion is defining a fancy term to help educate and describe this new phenomenon. As the name suggests, Neuroprivilogy is constructed from the words neural (network) and privileged (access), and can be defined as the science of privileged access points networks. Using the neural network metaphor, an organization’s infrastructure is not flat, but instead, a network of systems (neuron = system). The connections between systems are access points similar to synapses (for neurons). Some of these access points are extremely powerful (i.e., privileged), while others are not. Regardless, access points should be accessed only by authorized sources.
In nearly every IT department, discussions about virtualization and debates about moving to the cloud usually end up in the same uncomfortable place, bookended by concerns about lack of security and loss of control. To help create a realistic risk/reward profile, we must first examine how the definition of privilege, in context of the identity and access management landscape, is evolving. We are no longer just talking about controlling database administrators with virtually limitless access to sensitive data and systems; we are talking about processes and operations that can be considered privileged based on the data accessed, the database being entered, or the actions being taken as a result of the data.
The concept of 'privilege' is defined by the risk of the data being accessed or the system being manipulated. Virtualized and cloud technologies compound that risk, making traditional perimeter defenses no longer sufficient to protect far-reaching cloud-enabled privileged operations. Whether data is hosted, based in a cloud or virtualized, privileged accounts and access points are everywhere.
To gain a better understanding of the vulnerabilities impacting a privileged access points network, consider these Seven Neuroprivilogy Vulnerability Fallacies:
- These access points have limited permissions: Most access points are granted privileged access rights to systems – systems use proxy accounts for inter-system interactions (e.g., application to database). Usually the most permissive access rights required are used as the common (permission) denominator.
- Given the associated high risk, I probably have controls in place: Does anything from the following list sounds familiar? Hardcoded passwords, clear text passwords in scripts, default password never changed, if we’ll touch it everything will break… The irony is personal accounts for real users have very limited access rights, while having stricter controls (even simple ones, such as mandating frequent password changes).
- But I have all those security systems, so I must be covered, right? Existing security controls fail to address this challenge – IAM, SIEM and GRC are all good solutions; however, they address the challenge of known identities, accounting for limited access to the organization’s infrastructure, hence lower risk. Accounts associated with privileged access points usually have limitless access, and are often used by non-carbon based entities or anonymous identities. Therefore, more adequate controls are required.
- Privileged access points vulnerability is strictly for insiders: Picture yourself as the bad guy. Which of the following would you target? Personal accounts with limited capabilities protected by some controls, OR privileged access points with limitless access protected by no controls? The notion of an internal access point is long gone, especially with the borderless infrastructure trend (did I say cloud?).
- This vulnerability is isolated to my traditional systems: Some of the more interesting attacks/breaches from the past year present an interesting yet not entirely unexpected trend. The target is no longer confined to the traditional server, application or database. Bad guys attacked source code configuration management systems (Aurora attacks), point-of-sale devices, PLC (Stuxnet), ATMs, videoconferencing systems (Cisco), and more.
- Adding new systems (including security) should not impact my security posture: That’s where it gets interesting. Most systems interact with others, whether of infrastructure nature (such as database, user store) or services. Whenever you add a system to your environment, you immediately add administrative accounts to the service, and interaction points (access points) to other systems. As already mentioned, most of these powerful access points are poorly maintained, causing a local vulnerability (of the new system) as well as global vulnerability (new system serves as a hopping point to other network nodes). Regardless, your overall security posture goes down.
- I have many more accounts for real users than access points for systems: Though this fallacy might sound right, the reality is actually very different. It is not about how many systems you have, but the inter-communication between them. Based on conversations with enterprise customers, the complexity of the network and magnitude of this challenge will surprise many.
When observing these fallacies and advanced persistent threat (APT) attack characteristics, you realize Neuroprivilogy vulnerability is the Holy Grail for APT attackers. Cybercriminals understand the potential of these privileged access point networks, and by leveraging these vulnerabilities they have transformed the cybercrime frontier, as seen with many of the recent APT attacks, such as Stuxnet. It fits perfectly with APT characteristics – not about quick or easy wins, but about patient, methodological and persistent attacks targeting a well defined (big) “prize.” Working the privileged access point networks will eventually grant the bad guy access to his/her target.
So, what options exist for organizations that must balance protecting against cybercriminals with the proven advantages of virtualization and cloud technology? Let’s get down to some more details about network access points – how to find them and now to eliminate the vulnerability, or at least lessen the impact.
Discover – there is nothing you can do if you don’t know about it… To better secure network access points, including related identities, processes and operations, organizations must be able to automate the detection process of privileged accounts, including service accounts and scheduled tasks, wherever they are used across the data center and remote networks. This auto-detection capability significantly reduces ongoing administration overhead by proactively adding in new devices and systems as they are commissioned, and it further ensures that any privileged password changes are propagated wherever the account is used. It also increases stability and eliminates risks of process and application failures from password synchronization mismatches.
Control – don’t be an ostrich, take control! Another benefit of automation, particularly for those who fear loss of control, is that organizations are assured that password refreshes are made at regular intervals and in line with the organization’s IT and security policies. Having an automated system in place allows the company to have a streamlined mechanism for disabling these privileged accounts immediately, thus lessening the impact on business operations.
And yeah, Comply – from a compliance standpoint, regulations such as Sarbanes-Oxley, PCI, and Basel II require organizations to provide accountability about who or what accessed privileged information, what was done, and whether passwords are protected and updated according to policy. Without the necessary systems in place to automatically track and report that access, compliance becomes a daunting, time-consuming, and often expensive process, especially in terms of employees’ time and potential fines.
It is true that no single solution can prevent every breach or cyber threat that could impact a virtualized or cloud environment (multiple layers of defense are important). However, by adopting a Neuroprivilogy state of mind, organizations gain a more holistic view of infrastructure vulnerabilities. The best advice is to “prepare now” by proactively implementing proven processes and technologies to automate adherence to security policies that are in place across the entire enterprise. In doing so, enterprises can protect sensitive access points against breaches, meet audit requirements, as well as mitigate productivity and business losses.
So, now that you know more, I’ll ask again: Is your Neuroprivilogy vulnerable? If you aren’t sure, chances are there is a cybercriminal out there who already knows. So now the real question becomes: What are you going to do about it?
Shlomi Dinoor is vice president, emerging technologies, for Cyber-Ark Software and has more than 12 years of security and identity management experience in senior engineering management positions. As the head of Cyber-Ark Labs at Cyber-Ark Software, Dinoor is focused on new technologies that help customers prepare for “what’s next” in terms of emerging insider threats, data breach vulnerabilities and audit requirements. To read more, visit his personal blog, Shlomi’s Parking Spot.