Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Who better to target than the person that already has the ‘keys to the kingdom’?”

In the continuing list of NSA disclosures, it was recently revealed that administrators on target networks were hacked through their Facebook accounts. The leaked NSA document actually stated “Who better to target than the person that already has the ‘keys to the kingdom’?” from which we drew the title for this blog.

The type of access sought by the NSA is the same sort of access any malicious insider, hostile adversary or cyber criminal would want. Administrators are often the same staff responsible for security, so how can an organization independently audit the risk related to these users? Tenable can help organizations identify who their administrators are and measure the risk they present. This blog describes how Tenable’s Continuous View solution - which combines scanning, network monitoring and log analysis - can be leveraged to audit administrator risk.

Who are your administrators?

The number of administrators you have can vary greatly, depending on the size of your organization. You will likely have administrators in your IT department, and you will also have non-IT employees with administrative privileges for applications not managed directly by IT. For example, many developers manage the tools they use for software development without involving the IT department.

Knowing who your administrators are is just the beginning. You need to figure out which computers and systems these administrators leverage to do their job. With this list of computers, you can determine what their vulnerabilities are and what type of network browsing (such as visiting Facebook) has been occurring.

On the Tenable Discussion Forum, I posted a document titled “Detecting Who your Administrators are” that detailed a variety of techniques to enumerate who and more importantly, on which systems, your administrators are working from. These techniques leverage log analysis, network traffic analysis and brute force searches of known administrator user lists and those with administrator access in Nessus scan results.

Are your administrators a source of risk?

Once you have a list of systems that you are fairly confident are being used by administrators, there are plenty of different types of analytics you could perform to understand different types of risk and security weaknesses.

Do they have any more vulnerabilities than other systems? I’ve seen organizations where the administrators took security so seriously they patched their systems first. I’ve also seen it where security was viewed as an impediment to IT management and all administrator computers were woefully unpatched.

Are there any missing configurations on these systems? Similarly, if these systems are supposed to be running applications such as anti-virus, white-listing software, backup agents, firewalls, two factor authentication, etc. that have been disabled in the name of performance or ease of management, your administrators could be open to attack.

Are there exploitable vulnerabilities on these systems? SecurityCenter can be used to identify both exploitable clients, such as a web browser, as well as exploitable services, such as a vulnerable secure shell daemon.

Do these administrator computers connect directly to the Internet, to Facebook or to other social networking sites? When deployed as part of Continuous View, the Passive Vulnerability Scanner identifies all Internet facing services and all Internet browsing systems per port. It also identifies the majority of “social networking” sites. If these checks are present in your administrators’ list of computers, it would indicate that you have a system administrator bringing their personal life into their corporate life. It could also mean that they can be directly targeted by the NSA and any other group intent on compromising your network through this attack vector. It could also mean they’ve bypassed Internet access which should be going through a proxy.

Has the list of administrators been targeted by APT or insiders? Another useful aspect of having a list of administrator computers is that you can look for administration activity where it shouldn’t be. Both insiders and APTs eventually target administrator credentials and leverage it to gain further access and steal data. Having a list of administrator IP addresses means that you can look for “admin related” events, such as root logins, coming from non-administrator systems.

Are the administrators likely to have created a “work around” to obtain quick access? Very secure systems still need to be managed and often administrators will configure a quick “private” way to access these systems. Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn’t have time to go through all that might just rig up a back exit so they can step out for a smoke — and then hope no one finds out about it.

Conclusion

Network administrators are indeed targeted by everyone, not just the NSA. If you treat the security of your administrators as you would any other user on your network, you are not aligned with the threat.

To learn more about Tenable’s solutions in this area, please read more about our forensics and incident response capabilities as well as our capability to detect threats and malicious behaviors.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training