October 26, 2010

System Administrators Gone Wild


We're all concerned about security, but where to focus attention is the challenge. While most of the attention is focused on inbound attacks, we also need to worry about internal attacks and misuse of access. Consider for example the Unix engineer who planted a "logic bomb" that could have wiped out all of Fannie Mae's servers.

The numbers vary — a lot — but most studies show that insider attacks account for a large percentage of attacks. As an example, Verizon's Business RISK team conducted a study this year that found a 26% rise in insider attacks.

The good news is that compliance measures seem to be working at keeping out external attackers. The bad news is that attacks and other data breaches are on the rise from the inside.

Why? In part, you can blame the economy. (Wny not? It's blamed for everything else!) It doesn't take a firing to trigger a problem, though. More people are disgruntled and exhibiting stress at work. Employees are overworked and looking for shortcuts to get their jobs done faster.


It's frustrating not to have the access you need to do your job. It's doubly frustrating as a system administrator to have to face users who don't feel they have enough access to do their jobs. The result? Users often end up with far more access than they need. Worse, once a user is granted access, it's rarely retracted. This is true of privileges granted to the user, as well as access to shared passwords.

Security breaches are not always because employees want to be bad, it's often because they just want to do their job and security is a secondary or tertiary concern, if at all.

Bruce Schneier cites a study done by Eric Johnson at Dartmouth's Tuck School of Business. The study showed that, in a business group of 3,000 people, 1,000 role changes were made in just three months. Imagine the same business after a year! And it's impossible to assume that all of those changes were made correctly, with appropriate permissions for each.

And they weren't. Schneier says that Johnson came to the conclusion that at least 50 percent of employees are over-entitled, and maybe up to 90 percent. And it's unlikely that privileges are revoked when they're awarded, so if an employee is over-entitled they're going to remain so. Businesses have processes to grant access to systems, but they rarely have processes to un-grant the same access when it's no longer necessary.

This of course applies to system administrators as well as rank-and-file employees. Over time the average system administrator just accrues access to more and more vital systems. While this may never be a problem for the vast majority of employees, is it a good idea to take that chance?


Once you've recognized the problem, what's the solution? A combination of policy and technical measures to ensure that users have only the access they need, and user education to emphasize that needs for security access policies and restrictions.

The size and type of your organization determines which policy or technical measures you need to deploy. For smaller organizations that have traditional (relatively non-stringent) security needs, a combination of a well-configured sudo setup and SE Linux or AppArmor might be just what the proverbial doctor ordered.

For larger organizations that deal with regulatory compliance like HIPPA, Sarbanes-Oxley, or PCI compliance, you may need to investigate commercial solutions like Centrify, Novell's Privileged User Manager, or other products. The exact solution depends on your organization, but a combination of simple user privilege management, auditing, and reporting features is important. Not only do you need to be able to restrict access, you need to be able to see where users have exercised access and what they have used it for.


A final thought: it is important to remember that there's no such thing as perfect access control. No matter what role based access control you use, no matter how tightly you control account access, it will never be perfect.

But in most organizations it can be better. The first step is recognizing the problem, the next one is working to fix it. This doesn't mean locking things down so that users can't access systems, but it does mean a continual process of improvement and taking a minimalist approach to access.

Click Here!