This cautionary tale, sadly, has already taken place in enterprises around the world. Details have been altered to protect the clueless, but it may be only a matter of time before your organization’s details could fit below.
Imagine that you are the CSO of Generic Enterprises, Ltd. One morning, on the way to your office, you come across Carl from cryptography. He mentions that Gary, one of the IT admins, is putting everyone to shame by working so hard; he’s been at it since 5:30 this morning. This strikes you as odd, since Gary is notorious for his late-night gaming sessions, not for coming to work early.
Carl goes on to say that Gary requested access to the company’s latest build system, where you keep the code to a top-secret product that’s about to launch. He also requested access to HR records and the customer-payment information systems for maintenance purposes. His access credentials and keys were older, Carl says, but they still checked out, so he let Gary continue.
You shrug and head down the hall, where you are greeted by Dara from Data Loss Prevention. She tells you that she’s surprised how hard Gary has been working this morning, transferring gigabytes of data around the network. Dara figures there must be a major update in the works, and you agree that’s most likely why Gary must have come in so early. You ask what kind of data Gary’s been transferring.
“No clue,” Dara replies, reminding you that because everything is encrypted for security, Data Loss Prevention can’t see what kind of data is moved into and out of the system. But she tells you that Carl said his credentials checked out, so not to worry. Gary is a trustworthy employee.
Something is beginning to smell fishy, but you can’t quite pinpoint it. You stop by the office of Patrick, who’s in charge of Privileged Access Management, and ask whether he’s interacted with Gary today. He tells you that as a matter of fact, Gary worked around him by using an SSH key pair. You reply that it seems like a protocol breach, but Patrick assures you that this type of thing happens all the time. He mumbles something about how he’s never bothered to check for new SSH keys after vaulting all the SSH keys on his first day; he supposes he could continuously discover SSH keys, but it seems like a lot of work.
This information does nothing to quell your sense that something is wrong. You arrive at your office and turn on your computer. Your login fails; you realize you’ve forgotten your password again. As if on cue, your phone rings. It’s Gary, who is coughing and sniffling. He apologizes for calling so late in the work day, but...
You assure him it’s not a problem because you actually were just about to call him to retrieve your password. Gary says he can help you but recommends that you use the same password for everything; that way, it’s easier to remember. In addition, he has written his password on his computer screen at work so anyone can use his account to reset forgotten passwords when he’s out of the office.
Now that nagging sense of disquiet blossoms into fear. “What? You’re not in the office?” He confirms it, explaining that he’s sick and won’t be in today. “If you’re not here, then who’s moving massive amounts of encrypted data out of the network?”
Gary can offer no explanation. How could someone have stolen the backdoor SSH key that bypassed PAM, which he keeps on his work computer—right next to his password?
Four Security Truths to Live By
Some of these security breaches seem obvious and farfetched, yet IT professionals are notorious for being lax with passwords and for bypassing privileged-access systems to save time. A recent Forrester report found that 8 out of 10 breaches involved privileged credentials.
But the story above needn’t be your story. Remember that there’s no perimeter anymore, and an outsider can easily become an insider once perimeter security is breached. Every day attackers find new ways to breach enterprise perimeter security through ransomware, malware or phishing through social engineering. A determined attacker can and will get in, so the security mechanisms you have in place to mitigate the damage will make the greatest difference.
You can help keep your organization from writing its own cautionary tale by hewing to these central truths:
- Malicious actors can access the network in many ways, but the best way to spread the attack is through the theft of credentials, such as SSH keys.
- Continuously monitor network environments for new SSH-key deployments. Failure to do so can render any PAM system useless.
- The most efficient way to prevent credential theft is by using short-lived credentials, eliminating the need for passwords or burdensome and intrusive PAM systems.
- Don’t trust internal or external networks. All internal and external traffic must be decrypted and inspected because encrypted traffic renders DLP and firewalls useless.
Do you have a “Gary” in your organization? Odds are you do. He or she could have entered your network quite a while ago and is assessing the environment and the right time to strike. Given unrestricted access, this bad actor could steal critical or sensitive data and threaten the existence of your business. Treat privileged-access management as an essential part of your IT security posture to avoid becoming another preventable sad story.
About the Author
John Walsh serves as director of product marketing at SSH Communications Security, where he focuses on raising industry awareness of risk and compliance issues of unmanaged credentials. John has more than 15 years of experience in the IT security industry, having held product-management, product-marketing and software-engineering positions at IBM and SSH Communications Security. Before joining the company, he worked at IBM, where he obtained a patent, contributed to solutions guides and designed a number of important software features for security products such as SSH, LDAP, firewall and Java Cryptography. John holds a BS in computer science from Binghamton University as well as an MS in management information systems from Marist College.