Updated a Potentially $ Trillion Cyber Security Algorithm Last Week

Folks,

My sincere apologies for the unintended lapse in sharing thoughts via this blog, which has primarily been on account of us having received a "seemingly" simple request late last year, the fulfillment of which required my involvement and time.

 

We Need to Know, NOW

A few days after I penned my last blog entry, we received a request from a rather prominent U.S Government agency (i.e. one with a 3-letter acronym ending in A) that happens to have a rather large and complex Active Directory environment.

The request was seemingly simple – we were requested to try and do our best to enhance the performance of Gold Finger’s unique administrative access assessment/audit capabilities, so that Gold Finger could help them “swiftly” identify exactly who had what administrative powers (aka the “keys to the kingdom”) in their environment.

 

By “swiftly” I mean, within a matter of minutes.

Gold Finger could already identify and reveal paramount administrative access/entitlement insight like Who can effectively reset the password of any user in the organization to instantly login as him/her, within minutes in most deployments. It was in complicated environments that it could sometimes take an hour or more. An hour's not that bad at all, considering the sole alternative, which is to try and do the same manually (using basic tools), which could easily take months, if not years. 

 

But I suppose they needed Gold Finger to be able to do the same in their "complex" AD deployment, within minutes.

 

 

Why they needed this is not ours to question. (We don’t question - we only deliver.) But if I had to guess, I'd say its probably because they understood the risk associated with an insider being able to identify and exploit unauthorized access grants in their Active Directory to gain access to and subsequently tamper, divulge or destroy virtually any IT resource he/she wanted to, at will, and may have thus felt the need to attain and maintain least-privileged access (LPA) in their foundational Active Directory at all times, given that access provisioned in AD is always changing, even if by a little.

Anyway, this was, as I said a "seemingly" simple ask.

I say "seemingly" simple because as the architect of Gold Finger, I'll be the first to tell you that the only thing harder than making something as sophisticated as Gold Finger, is trying to make it much faster. Here’s why -

When you press the Gold Finger button, almost half a million lines of code go to work in a magical black box, and within minutes, they reveal completely accurate, instantly actionable and mission-critical effective access insight in plain English.

 

 

 

For instance, when you select a report like Who can reset user account passwords across a domain of say 50,000 users, Gold Finger literally determines effective permissions on 50,000 user accounts in a single shot. That's no easy task. To begin with, it involves retrieving almost 5 million ACEs, doing the relatively easy stuff (resolving 1000s of SIDs, expanding 1000s of direct/nested/circular group memberships, etc. etc.) and then the difficult stuff (assessing millions of access grants taking into account over a dozen factors), to ultimately identify and reveal exactly who can reset whose passwords. There’s also a lot that can go wrong at any point so you have to be able to deal with virtually every potential unknown.

In essence, there are over a 100 different inter-dependent logical functions that operate in unison to do at a touch of a button, what is generally considered almost impossible to do. In other words, there’s just so much complexity involved that trying to make the smallest change, let alone trying to accomplish even a 10% performance gain, can be quite difficult.

So, although this seemed like a simple ask, what was required to deliver on it was in fact a combination of deep subject matter expertise, utmost discipline, world-class software-engineering, and of course comprehensive testing.

After months of highly disciplined work (some of which was already in progress), our Engineering teams ultimately achieved what was no easy feat - making Gold Finger faster. Not just a little faster, but up to 5 times faster.

The result was Gold Finger 6.0 - http://finance.yahoo.com/news/paramount-defenses-one-worlds-top-173000714.html

 

Gold Finger 6.0

Gold Finger 6.0 embodies our patented cumulative access entitlement technology and is the culmination of over half a decade of innovative cyber security research and development. It is not only the world's fastest cyber security solution that can accurately identify and reveal the identities of all individuals who effectively possess (any level of) administrative / privileged access in Microsoft Windows Server based IT infrastructures powered by Active Directory, it may possibly be the world's ONLY cyber security solution that can do so.

 

 

A Potentially Trillion $ Algorithm 

As you may know, in most organizations worldwide today, the compromise of a single administrative / privileged account could be sufficient to inflict colossal and often irreversible damage to the organization, so the need to know exactly who has what administrative access in Active Directory (which stores and protects the keys to virtually every lock in the kingdom) is paramount. 

 

For those, to whom this seems overstated or far fetched, there’s just one name to mention – Edward Snowden.

In our efforts to fulfill this request, not only were we able to help one of the world’s most important government agencies, we have also been able to (now) empower virtually every organization worldwide to finally be able to know within minutes with complete accuracy, exactly who has the proverbial keys to their kingdoms.

With over 85% of all government and business organizations worldwide running on Active Directory, including virtually the entire Fortune 1000, even we’re not sure how to value an algorithm that can uniquely and instantly help determine exactly who’s got the keys to the(se) kingdom(s).

 

 

All we know, and care deeply about, is helping organizations worldwide attain and maintain least-privileged access (LPA) in their Active Directory deployments, because we believe nothing is more important than “defending the keys to the kingdom”.

 

Alright, back to work.

Best wishes,

Sanjay

PS: Sadly, it takes just ONE malicious or coerced insider with admin/privileged access to inflict colossal damage.

NSA Contractor Edward Snowden Leaked Secrets - A Classic Example of Cyber Security Risks Posed by Trusted Insiders

Folks,

Edward Snowden needs no introduction, and I'm not about to opine on his actions.  What I would like to share my 2 cents on is the nature of this "security incident", and what government and business organizations worldwide can learn from it.



A Trusted Insider

This incident was a classic case of "unauthorized information disclosure" by "a trusted insider" with unrestricted access.

In this case, the "insider" seemingly had virtually "unrestricted" access to information, and the nature of information he accessed and divulged was so highly "sensitive" that the impact of its disclosure was colossal enough to cause a national government and a clandestine agency, potentially substantial harm, and embarrassment.


Risks to Cyber Security from Trusted Insiders

Unlike a traditional cyber security incident, involving an attack from an outsider, such a security incident is much harder, but not impossible, to protect against, because it involves a "trusted insider."

The threat of a security compromise from an insider always exists. However, few organizations take it seriously, perhaps because they perceive the "likelihood" of it to be low, or because they "perceive" the damage to being usually manageable, in that your average insider does not have administrative access and thus the extent of confidential information to which they could obtain access is usually limited.

However, in situations, wherein a highly trusted IT/Systems Administrator is involved, the damage can be substantial, as was the case here, because such admins almost always have unrestricted access to virtually the entire IT infrastructure, and are trusted with the great responsibility of safeguarding the organization's information assets.

So, when a highly trusted administrator turns malicious, there is very little you can do to stop him/her from inflicting substantial damage to the organization. That is because he/she can access, tamper, divulge and destroy virtually any organizational information asset he/she likes at will.

For example, should an accountant at a defense company leak the earnings numbers before their scheduled disclosure time, the impact would be limited to legal fall outs, but should a systems administrator leak the entire set of confidential blue-prints of the next supersonic plane the company was working on, such a breach could effectively put the company out of business.

This is why it is of paramount importance to ensure that organizations minimize the number of highly trusted administrators to an ABSOLUTE bare minimum. The importance of this elemental cyber security measure cannot be over-stated.

A Trusted Administrator

I know a thing or two about this, because I authored Microsoft's 400-page official white paper on delegating administration in Active Directory deployments, which deals with this very subject i.e. how to minimize the number of highly privileged administrative personnel to a minimum by delegating administrative authority based on the principle of least privilege.

Just one more thing. The method/system that NSA (and 20K+ organizations worldwide) would most likely have to use to find out who has what administrative powers in their IT infrastructures is protected by a patent, that I happen to be assigned.

(But I digress.)


Managing Risk Posed by Trusted Insiders with Unrestricted Administrative Access

The risk posed by a privileged trusted insider can almost never be completely eliminated because you will always have at least ONE person who will need to have (/ be able to obtain) unrestricted administrative access across the organization's IT infrastructure.

 

However, in most cases, the "likelihood" of this risk being materialized can be substantially minimized by reducing the number of highly privileged administrators, and by ensuring (to the extent possible) that those who do possess such unrestricted access are highly trustworthy and understand the serious implications of the misuse of their unrestricted administrative power.

Practically speaking though, if I were to share with you just how dismal the state of excessive administrative access entitlements is in most business and government organizations worldwide, you might fall out of your chair!

For instance, you'd be surprised if I told you just how many companies out there have 100s of Domain Admin accounts. In fact, in one company we came across, over 700 individuals had the ability to reset the password of the CEO's account, and login as the CEO on-demand within seconds. The only thing more scary is that no one including the CEO or these 700 admins knew about this. (Interestingly, one of their employees used Gold Finger Mini to figure this out in 30 seconds.)

(Anyway, I digress again, so back to the point at hand...)


What Can Organizations Do To Minimize The Risk Posed by A Malicious Trusted Insider?

The #1 thing organizations can do to minimize this risk is to understand and acknowledge just how serious and damaging a single such security incident can be for the organization.  (ONE such incident is all it takes to inflict substantial damage.)

Executive Management

Specifically, what is needed is for executive management to require and demand the enactment of adequate security risk management measures aimed at reducing the number of insiders who have unrestricted access to the IT infrastructure i.e. Domain Admins, Enterprise Admins and the like, i.e. folks whose job titles read "Infrastructure Consultant" etc.

Without executive support, this problem can almost never be adequately addressed.

Executive support is necessary because without it, the organization's IT group may not be able to drive the changes necessary to accomplish the reduction in the number of administrative accounts.

The #2 thing that organizations can do once executive support is in place, is to assign a high-priority IT project aimed at identifying the list of all individuals who have unrestricted or widespread access across their IT infrastructure.

Administrative Access Audit

This list should then be vetted out to understand the business requirements that drive/necessitate the provisioning of such unrestricted access for the identified individuals.

The vetting process must involve an analysis of why each of the identified individuals currently possess and require unrestricted administrative/system-wide access, and for each case wherein such access is not actually required, actionable steps must be identified to reduce/revoke such unrestricted administrative access, such that individuals only possess the least amount of access they need to fulfill their responsibilities.

The #3 thing organizations can do, is enact the steps identified in #2 above to minimize unrestricted administrative access to a bare minimum, by leveraging delegation of administrative responsibilities based on the principle of least privilege.

In other words, administrative access should be locked down based on the principle of least privilege.


Maintaining Security Post Initial Risk Reduction

It is not sufficient to minimize the number of privileged account holders, and then forget about it, because, unchecked, business requirements will invariably cause this number to get out of control again.

Thus it is imperative that all subsequent access provisioning requests be fulfilled in adherence to the principle of least privilege. This takes effort and time, but it is the harder right.

Also, to maintain security, on an ongoing basis, organizations should also periodically audit administrative access to ensure that the number of folks with unlimited /unrestricted system-wide access (as well as delegated access) is in line with what is expected, approved and authorized (i.e. not in violation of established business policy.)

It is also important to institute additional protection and monitoring measures to protect all accounts that have all-powerful administrative / unrestricted / system-wide access. In addition, it is equally important to establish policies that clearly state the ramfications of abuse of administrative power, and to communicate them to all powerful administrators. This deterrence measure is necessary.

If organizations enact just these 3 simple measures listed above, they could substantially reduce their attack surface, and thus reduce the likelihood of a successful "security breach" by a trusted insider.

For instance, you could use these measures to reduce the number of individuals who have unlimited administrative access from say 400, down to 40. Now, 40 is still 36 too many, but it is 360 less than the existing and unacceptable level of 400. (The number 400 is arbitrary, albeit representative of many large organizations, and primarily used to make the point.)


Time's Up

Given additional time, I could elaborate further, and provide additional and detailed guidance, but for now my 10 minutes are almost up, so this will have to be it.

My apologies if my 2c above is not proof-read by an editorial staff. Given my role at Paramount Defenses, I only have a few minutes each month to spend on "blogging", so this will have to be it.

Best,
Sanjay.

PS: There's no dearth of commercially motivated advice out there that seems to suggest the deployment of certain access management solutions in such situations. I'll add just this much - no software solution "in and by itself" can reduce this risk as much as the single fundamental step of actually reducing the number of individuals who possess unrestricted privileges can, because you cannot protect a system from the administrator of the system, because the administrator is, by definition, a part of the system's TCB (Trusted Computing Base.)

PS2: Here's something to think about in light of Mr Snowden's actions - http://www.sanjaytandon.com/integrity.html