Ten Hard Questions About Security: Question 2
Question 2: Whose system is this?
Don't think this isn't a valid question for every system in your network. Every system. I don't care if it's a network device, or the system that fires off your sprinklers, if it is connected to your network and has been for any amount of time, chances are that some outside actor has had access to it in some way. Users, including some of the most trusted administrators in your environment, make mistakes:
- They freely use their USB drives at public locations on computers whose provenance cannot be trusted.
- They open attachments from untrusted sources.
- They browse questionable web sites with insecure Javascript embedded.
- They let their children use their work laptops.
- They download freeware and shareware on a regular basis.
Actions like these don't necessarily guarantee that a compromise has occurred, but they greatly increase the chances. And with every action like this, chances keep increasing. The length of time a system exists in your environment also has some bearing on this question. Long life systems, such as Active Directory or any HR or payroll systems, have a greater chance of being compromised due to their high value.
What is the answer to this conundrum? Privilege Management.
The concept of privilege management is not new, but many of the mechanisms used in the past have not been complete solutions. Notice I didn't specify any certain piece of privilege management; many enterprises have some type of privilege management, including identity (PIM), access (PAM), and/or session. A holistic privilege management solution contains all of these components, working in harmony. But the privilege management solution is only as important as the system that gives it the real value: Auditing.
A privileged management solution is only as good as the information you can glean from it. Yes, many of these systems are very handy, and they really look to simplify the management of privileged identities. But if they are not securing these resources, they are useless. And if the security behind these systems is not being regularly reviewed and filtered and scrutinized, then you have really added no value. System administrators are generally smart people; they don't need a point-and-click adventure to login to their servers. They don't need colorful dashboards to tell them to which servers they have access. They need to be ensured that no one else can gain access to their systems.
I like to open discussions about privilege management with 3 key points:
- Keys to the Kingdom
- Quis Custodes Custodiet?
- Assume Breach
You may recognize the second point as one of the questions from the introductory post. We won't go deep into that one in this post, you'll just have to wait. Let's start with the keys...
"Keys to the kingdom" is an age-old phrase. It evokes thoughts of allowing access to all of the assets and secrets of an organization. When I hear this phrase, I immediately think of The Matrix, and the character called the Keymaker. His purpose was to give access to the programming hallways of the Matrix to the hero of the movie, Neo. And of course, many characters in the matrix were programs. Therefore, the Keymaker was the privilege manager of the matrix. And yes, I know that's a pretty far-fetched example (but it's better than the Keymaster and the Gatekeeper in Ghostbusters).
Your privilege management administrators are no different than the movie character. Their job is to administer systems that allow only the authorized users to authenticate to specific systems, and to account for the access granted. That last sentence contained three very important words: authorized, authenticate, and account. Some of you may recognize the concept behind those three words now that you have seen them together. Commonly known as AAA (Authorization, Authentication, and Accountability), this concept is a fundamental building block of security. If you don't know who has access to any given system, you cannot claim to have control of it.
Moral of the story here: limit the copies of keys to the kingdom.
Your most trusted administrators should be a very small group of highly skilled, long time direct hire employees. Employees who have undergone and continue to undergo extensive background checks on a regular basis. Employees who are trusted and trustworthy, but tend not to trust others. Eternal pessimists. People who believe in the worst in people, including their own teammates. People who question everything.
Their management, on the other hand, need to be the best listeners in your organization. Finding the right people is hard, but finding the right managers is even harder. They have to have the same attitude as their employees, but also have to believe them when they state that there is or may be an issue. They need to be skilled in security as well as being people managers. These types of employees can be hard to manage, and these types of managers need to be tougher than their employees.
"Assume breach", on the other hand, is a mindset that some may consider rather paranoid. In security, paranoia is not necessarily a bad thing, but in reasonable amounts. You probably don't want a conspiracy theorist running your privilege management, but you do want someone who wants to go back and double or triple check their work to ensure that it is done correctly. You want someone who is willing to investigate an error that may look innocuous to some, but seems to stick out like a sore thumb to them.
Where do you start looking for breaches? Start with your most privileged accounts. The greater amount of control a bad actor has to your environment, the more damage they can do. Limiting the number of those users, as stated above, is the best way to properly monitor them. If you have 500 enterprise-level administrators, the amount of data to parse through would be a full time job for a single team. Conversely, if you have 5 enterprise-level administrators, it's an easy task for one person every day or maybe even week. Concepts like the Privileged Access Workstation (PAW) help whittle these logs down even further. THe lower the number of data points to gather, the more successful you will be in finding your bad actors or breaches.
Moral of the story for this one: don't just work to prevent intrusions, actively seek them out in your enterprise.
Sorry for the long delay in getting this posted. I hope to do better in the future.