Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.

July 16, 2013

NSA Contractor Edward Snowden Leaked Secrets - A Classic Example of Cyber Security Risks Posed by Trusted Insiders


Edward Snowden needs no introduction, and I'm not about to opine on his actions.  What I would like to share my 2 cents on is the nature of this "security incident", and what government and business organizations worldwide can learn from it.

A Trusted Insider

This incident was a classic case of "unauthorized information disclosure" by "a trusted insider" with unrestricted access.

In this case, the "insider" seemingly had virtually "unrestricted" access to information, and the nature of information he accessed and divulged was so highly "sensitive" that the impact of its disclosure was colossal enough to cause a national government and a clandestine agency, potentially substantial harm, and embarrassment.

Risks to Cyber Security from Trusted Insiders

Unlike a traditional cyber security incident, involving an attack from an outsider, such a security incident is much harder, but not impossible, to protect against, because it involves a "trusted insider."

The threat of a security compromise from an insider always exists. However, few organizations take it seriously, perhaps because they perceive the "likelihood" of it to be low, or because they "perceive" the damage to being usually manageable, in that your average insider does not have administrative access and thus the extent of confidential information to which they could obtain access is usually limited.

However, in situations, wherein a highly trusted IT/Systems Administrator is involved, the damage can be substantial, as was the case here, because such admins almost always have unrestricted access to virtually the entire IT infrastructure, and are trusted with the great responsibility of safeguarding the organization's information assets.

So, when a highly trusted administrator turns malicious, there is very little you can do to stop him/her from inflicting substantial damage to the organization. That is because he/she can access, tamper, divulge and destroy virtually any organizational information asset he/she likes at will.

For example, should an accountant at a defense company leak the earnings numbers before their scheduled disclosure time, the impact would be limited to legal fall outs, but should a systems administrator leak the entire set of confidential blue-prints of the next supersonic plane the company was working on, such a breach could effectively put the company out of business.

This is why it is of paramount importance to ensure that organizations minimize the number of highly trusted administrators to an ABSOLUTE bare minimum. The importance of this elemental cyber security measure cannot be over-stated.

A Trusted Administrator

I know a thing or two about this, because I authored Microsoft's 400-page official white paper on delegating administration in Active Directory deployments, which deals with this very subject i.e. how to minimize the number of highly privileged administrative personnel to a minimum by delegating administrative authority based on the principle of least privilege.

Just one more thing. The method/system that NSA (and 20K+ organizations worldwide) would most likely have to use to find out who has what administrative powers in their IT infrastructures is protected by a patent, that I happen to be assigned.

(But I digress.)

Managing Risk Posed by Trusted Insiders with Unrestricted Administrative Access

The risk posed by a privileged trusted insider can almost never be completely eliminated because you will always have at least ONE person who will need to have (/ be able to obtain) unrestricted administrative access across the organization's IT infrastructure.

However, in most cases, the "likelihood" of this risk being materialized can be substantially minimized by reducing the number of highly privileged administrators, and by ensuring (to the extent possible) that those who do possess such unrestricted access are highly trustworthy and understand the serious implications of the misuse of their unrestricted administrative power.

Practically speaking though, if I were to share with you just how dismal the state of excessive administrative access entitlements is in most business and government organizations worldwide, you might fall out of your chair!

For instance, you'd be surprised if I told you just how many companies out there have 100s of Domain Admin accounts. In fact, in one company we came across, over 700 individuals had the ability to reset the password of the CEO's account, and login as the CEO on-demand within seconds. The only thing more scary is that no one including the CEO or these 700 admins knew about this. (Interestingly, one of their employees used Gold Finger Mini to figure this out in 30 seconds.)

(Anyway, I digress again, so back to the point at hand...)

What Can Organizations Do To Minimize The Risk Posed by A Malicious Trusted Insider?

The #1 thing organizations can do to minimize this risk is to understand and acknowledge just how serious and damaging a single such security incident can be for the organization.  (ONE such incident is all it takes to inflict substantial damage.)

Executive Management

Specifically, what is needed is for executive management to require and demand the enactment of adequate security risk management measures aimed at reducing the number of insiders who have unrestricted access to the IT infrastructure i.e. Domain Admins, Enterprise Admins and the like, i.e. folks whose job titles read "Infrastructure Consultant" etc.

Without executive support, this problem can almost never be adequately addressed.

Executive support is necessary because without it, the organization's IT group may not be able to drive the changes necessary to accomplish the reduction in the number of administrative accounts.

The #2 thing that organizations can do once executive support is in place, is to assign a high-priority IT project aimed at identifying the list of all individuals who have unrestricted or widespread access across their IT infrastructure.

Administrative Access Audit

This list should then be vetted out to understand the business requirements that drive/necessitate the provisioning of such unrestricted access for the identified individuals.

The vetting process must involve an analysis of why each of the identified individuals currently possess and require unrestricted administrative/system-wide access, and for each case wherein such access is not actually required, actionable steps must be identified to reduce/revoke such unrestricted administrative access, such that individuals only possess the least amount of access they need to fulfill their responsibilities.

The #3 thing organizations can do, is enact the steps identified in #2 above to minimize unrestricted administrative access to a bare minimum, by leveraging delegation of administrative responsibilities based on the principle of least privilege.

In other words, administrative access should be locked down based on the principle of least privilege.

Maintaining Security Post Initial Risk Reduction

It is not sufficient to minimize the number of privileged account holders, and then forget about it, because, unchecked, business requirements will invariably cause this number to get out of control again.

Thus it is imperative that all subsequent access provisioning requests be fulfilled in adherence to the principle of least privilege. This takes effort and time, but it is the harder right.

Also, to maintain security, on an ongoing basis, organizations should also periodically audit administrative access to ensure that the number of folks with unlimited /unrestricted system-wide access (as well as delegated access) is in line with what is expected, approved and authorized (i.e. not in violation of established business policy.)

It is also important to institute additional protection and monitoring measures to protect all accounts that have all-powerful administrative / unrestricted / system-wide access. In addition, it is equally important to establish policies that clearly state the ramfications of abuse of administrative power, and to communicate them to all powerful administrators. This deterrence measure is necessary.

If organizations enact just these 3 simple measures listed above, they could substantially reduce their attack surface, and thus reduce the likelihood of a successful "security breach" by a trusted insider.

For instance, you could use these measures to reduce the number of individuals who have unlimited administrative access from say 400, down to 40. Now, 40 is still 36 too many, but it is 360 less than the existing and unacceptable level of 400. (The number 400 is arbitrary, albeit representative of many large organizations, and primarily used to make the point.)

Time's Up

Given additional time, I could elaborate further, and provide additional and detailed guidance, but for now my 10 minutes are almost up, so this will have to be it.

My apologies if my 2c above is not proof-read by an editorial staff. Given my role at Paramount Defenses, I only have a few minutes each month to spend on "blogging", so this will have to be it.


PS: There's no dearth of commercially motivated advice out there that seems to suggest the deployment of certain access management solutions in such situations. I'll add just this much - no software solution "in and by itself" can reduce this risk as much as the single fundamental step of actually reducing the number of individuals who possess unrestricted privileges can, because you cannot protect a system from the administrator of the system, because the administrator is, by definition, a part of the system's TCB (Trusted Computing Base.)

PS2: Here's something to think about in light of Mr Snowden's actions -