In the continuing list of NSA disclosures, it was recently revealed that administrators on target networks were hacked through their Facebook accounts. The leaked NSA document actually stated “Who better to target than the person that already has the ‘keys to the kingdom’?” from which we drew the title for this blog.
The type of access sought by the NSA is the same sort of access any malicious insider, hostile adversary or cyber criminal would want. Administrators are often the same staff responsible for security, so how can an organization independently audit the risk related to these users? Tenable can help organizations identify who their administrators are and measure the risk they present. This blog describes how Tenable’s Continuous View solution - which combines scanning, network monitoring and log analysis - can be leveraged to audit administrator risk.
Who are your administrators?
The number of administrators you have can vary greatly, depending on the size of your organization. You will likely have administrators in your IT department, and you will also have non-IT employees with administrative privileges for applications not managed directly by IT. For example, many developers manage the tools they use for software development without involving the IT department.
Knowing who your administrators are is just the beginning. You need to figure out which computers and systems these administrators leverage to do their job. With this list of computers, you can determine what their vulnerabilities are and what type of network browsing (such as visiting Facebook) has been occurring.
On the Tenable Discussion Forum, I posted a document titled “Detecting Who your Administrators are” that detailed a variety of techniques to enumerate who and more importantly, on which systems, your administrators are working from. These techniques leverage log analysis, network traffic analysis and brute force searches of known administrator user lists and those with administrator access in Nessus scan results.
Are your administrators a source of risk?
Once you have a list of systems that you are fairly confident are being used by administrators, there are plenty of different types of analytics you could perform to understand different types of risk and security weaknesses.
Do they have any more vulnerabilities than other systems? I’ve seen organizations where the administrators took security so seriously they patched their systems first. I’ve also seen it where security was viewed as an impediment to IT management and all administrator computers were woefully unpatched.
Are there any missing configurations on these systems? Similarly, if these systems are supposed to be running applications such as anti-virus, white-listing software, backup agents, firewalls, two factor authentication, etc. that have been disabled in the name of performance or ease of management, your administrators could be open to attack.
Are there exploitable vulnerabilities on these systems? SecurityCenter can be used to identify both exploitable clients, such as a web browser, as well as exploitable services, such as a vulnerable secure shell daemon.
Do these administrator computers connect directly to the Internet, to Facebook or to other social networking sites? When deployed as part of Continuous View, the Passive Vulnerability Scanner identifies all Internet facing services and all Internet browsing systems per port. It also identifies the majority of “social networking” sites. If these checks are present in your administrators’ list of computers, it would indicate that you have a system administrator bringing their personal life into their corporate life. It could also mean that they can be directly targeted by the NSA and any other group intent on compromising your network through this attack vector. It could also mean they’ve bypassed Internet access which should be going through a proxy.
Has the list of administrators been targeted by APT or insiders? Another useful aspect of having a list of administrator computers is that you can look for administration activity where it shouldn’t be. Both insiders and APTs eventually target administrator credentials and leverage it to gain further access and steal data. Having a list of administrator IP addresses means that you can look for “admin related” events, such as root logins, coming from non-administrator systems.
Are the administrators likely to have created a “work around” to obtain quick access? Very secure systems still need to be managed and often administrators will configure a quick “private” way to access these systems. Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn’t have time to go through all that might just rig up a back exit so they can step out for a smoke — and then hope no one finds out about it.
Network administrators are indeed targeted by everyone, not just the NSA. If you treat the security of your administrators as you would any other user on your network, you are not aligned with the threat.