Brian, for the uninitiated, what exactly are 'admin rights' and privilege management?
For most purposes, admin rights can be loosely defined as being the set of rights granted to either a root user (Linux, Unix, Mac OS X) or an administrator account (Windows), as opposed to standard user rights.
One of the biggest security issues in organisations is that admin rights are given too often and for a couple of common reasons: first, many users want to have control over their own desktops (who wants to wait until the IT department can get around to installing that vital piece of application software that you need?). Second is the perception that putting the onus on the user also reduces overall IT support costs (for example, fewer calls to the IT helpdesk), but the truth here is actually quite the opposite.
Privilege access or privilege identity management is the name given to the process of managing those rights: in other words, who has access to what. It matters because admin rights open up gaping security holes, however careful a company might think it is being. It's one thing to have a multi-layered investment in security software, but if Miss Jones in accounts is allowed to download a piece of software that turns out to contain malware that wreaks havoc all over the organization, then those big investments are in vain.
Do you have any insight into what the scale of the problem is?
Over 70% of known vulnerabilities in Windows 7 require admin privilege to be exploited. In a survey by BeyondTrust in late 2013, it was discovered that 44% of respondents knew that there were users in their company with excess account privilege, 65% had implemented so kind of control for this privilege and 54% knew that their users could circumvent those controls.
Forrester reported a couple of years ago that around 43% of data breaches are from internal sources. A Verizon report states that in 2011, 98% of data breaches came from external agents, but goes on to suggest those attacks were successful because they were enabled in part by human error or ignorance. By 2012, this had only dropped 6% to 92%. In short, as long as there are users with excessive privilege, companies are leaving the door wide open for this to happen each and every day.
Of course, those figures are going to vary but I'd argue we haven't seen much improvement. There have been some pretty high profile examples of where admin rights or excessive privilege have enabled data to be leaked or security breached, Target being one of the most recent examples.
Can you provide some examples of what actually goes wrong?
A hacker gaining access to a company network has to be extremely lucky to find themselves with access to a system with sensitive or valuable data as their initial point of entry. Most exploits happen on a system that has lower security, usually because it's not holding any sensitive data. Once on that system the hacker needs to find a privileged account to allow them to make lateral moves through the system until they find some useful data.
Once they've got that privileged account they aren't hacking any more: they start acting like an internal employee. So they're inside the organisation and behaving like – and treated like – anyone else with that level of admin rights. It's a bit like allowing a guest into the company foyer, not bothering with a security pass and while you're at it, giving them a set of keys to all of the doors, desks and file cabinets in the building. All this can stem from just a simple innocuous action, such as downloading an unauthorised application that brings in malware and gives the attacker a way into the organisation.
And of course, let's not forget that the 'insider threat' isn't just about allowing external attackers to imitate internal users: there have been some cases where employees have abused their privilege to access or distribute sensitive and confidential information.
So what are the barriers to companies dealing with this better?
Many feel they left with little option other than to give admin rights. The security systems we have to work within Windows, Linux, Unix and Mac OS X give us two options primarily: standard user and super user (root or administrator). When you exceed the capabilities of the standard user we are only left with giving them admin rights to keep them productive.
IT is there to help our employees be more productive. A secure environment is currently seen as being one in which productivity is impacted by the coarse level at which we can apply user rights. Many companies have invested time and effort in tooling and processes to help them manage the excess privilege through direct controls through to user training and assessment. User rights management is ingrained in many organisations and it's hard to let go.
What do you think needs to change?
Quite simply, we need to stop trying to manage the problem and start eliminating it. At the base level, it isn't the user that needs the additional rights/privileges, it's the applications and processes they are running. We need to move away from thinking about user privilege and move toward managing application privilege. Allowing us to move to a place where privilege is explicit, not implicit as it is with admin rights. That would remove a wide variety of vulnerabilities straight away.
So what kind of practical processes could companies look at adopting – can you share some best practice suggestions?
Privilege management becomes more digestible when you think more in terms of applications, rather than users. Even in big organisations, there are probably only a couple of thousand apps and the need to apply privilege to these probably only applies to a small number. The privileges around that application are likely to be fairly constant, whereas privilege around users – who change jobs or leave the company – is more fluid.
The principle of Least Privilege, as first stated by Jerome Saltzer in 1974 ("Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."), gives us an approach that we can actually deliver on today. By starting with a standard user, adopting the approach of application privilege (the least privilege necessary for the application or process to run productively) and looking to assign the ability to run privileged applications explicitly we reach control through empowerment.
Without plugging any of your own software, how can tools help companies manage privilege better?
The complexity of our IT environments only seems to be increasing, but within that we do see very important technologies that can help us manage privilege better. Single-sign-on allows us to have a consistent single identity across many applications within our working environment. Technologies that allow you to use a single identity across multiple operating system platforms further reduces the number of identities we need to operate and manage.
This reduction in the number of identities in the environment aid in the most important aspect that tooling can deliver: visibility. The more clear the visibility we have across our environments, the better the decisions we can make to move them forward, to make them more secure while still giving our customers (our users) the facilities they need to be productive. We cannot lose sight of the objective of the technology it's not there for its own sake, its there to help deliver productivity.
How might this fit into an overall security and IT risk management strategy?
Privilege management is one element of having a solid security strategy. Vulnerability management is another (hackers use vulnerability and privilege to exploit company networks) and good configuration management is also vital.
These all contribute to building a solid foundation on which to construct your broader technology services and security. There's no point investing in lots of technology tools to manage security if you haven't got the foundations right. Companies need a solid base of the right policies and processes, together with different security tools (there is no silver bullet) that don't just deal with security problems as they arise, but help to prevent them happening in the first place.
- Brian Chappell is Director of Technical Services for BeyondTrust in EMEA and APAC