Control Your IT StaffWhy you really should monitor your privileged users

White paper

IntroductionIn most organizations, IT professionals have the “keys to the IT kingdom”, otherwise known as privileged access. Powerful privileged accounts let IT staff anonymously access systems throughout the network, and potentially view or extract sensitive data, or modify system configuration settings. How likely is it that IT professionals use this power to do things they shouldn’t do?

This White paper summarizes the security and compliance challenges organizations face today with regards to system administrative activities. In the second part, the paper describes a best-of-breed concept called Privileged User Monitoring (PUM) to mitigate the risks related to system administrators and meet increasingly strict regulatory requirements. The document concludes with a best practices section to help organizations implement a secure yet cost effective framework to control internal and external IT staff.

www.balabit.com

Table of Content

Introduction......................................................................................................................................................... 1

Table of Content ................................................................................................................................................. 2

Risks Related to Privileged Users .................................................................................................................... 3

Risk 1: Unlimited “Power” of Internal Administrators.......................................................................................... 3

Risk 2: Control Third-party IT Providers............................................................................................................. 3

Risk 3: Targeted Attacks Hijacking Privileged Accounts .................................................................................... 4

Risk 4: Regulatory Compliance & IT Audits ....................................................................................................... 5

The Solution - Privileged User Monitoring (PUM) ........................................................................................... 6

Best practices for IT Staff Control .................................................................................................................... 8

Summary ............................................................................................................................................................. 9

About BalaBit...................................................................................................................................................... 9

2/9

Risks Related to Privileged Users

#1 Risk 1: Unlimited “Power” of Internal Administrators

“The top action was privilege abuse — at 55% of all incidents— where internal actors abuse the access they have been entrusted with.” – Verizon 2015 Data Breach Investigations Report.

Your system administrators are the most powerful users in your IT environment. They operate the whole IT infrastructure, containing sensitive data and critical assets. Although these users typically sit at the bottom of the organizational hierarchy, they have very high or even unrestricted access rights to operating systems, databases and applications. Having “superuser” privileges on servers, administrators have the possibility to directly access and manipulate your company’s sensitive information, such as R&D and client data, or HR records.

In contrast, their accountability is low, as they have several ways to mask their activities - some administrators access sensitive data without permission and then go to great lengths to conceal their actions by manipulating system logs. While most employees are trustworthy, there are always employees that abuse the trust placed in them and system administrators are no exception.

Sharing administrative passwords - Administrative accounts are often shared among IT staff – as you can never know who did what on a system, their accountability is not possible. In many cases IT personnel access the same privileged account and all of them knows the password. In this case, the password can no longer be considered secure and changing the password frequently becomes almost impossible. This risk greatly increases when an administrator leaves the organization or changes role, and the shared passwords are not changed.

Bypassing company policies - BalaBit surveyed 200 IT professionals which revealed that nearly half of them have made exception rules in the firewall to bypass IT policy. The survey revealed that 54% have already downloaded illegal content in their workplace.

Leaking/Stealing data – The Verizon DBIR 2015 report found a mass of individuals abusing the access they have been entrusted with by their organization in virtually every industry. With financial gain and convenience as the primary motivators, they plan to monetize stolen data by selling it to others (such as with financial data) or by directly competing with their former employer.

(Un)intentional misconfiguration – Human error as well as sabotage are increasingly common incidents in the news. Awkward junior admins as well as disgruntled seniors can make huge mess in IT systems resulting in serious service outages and revenue loss for an organization.

Hiding traces – The BalaBit survey found that 15% of system administrators have already deleted or modified system log files (in order to hide or destroy evidence!).

Typical security risks with IT admins include:

3/9

Managers

Outsourcingpartners

IT staff

Cyber attacker

VDI users

#2 Risk 2: Control Third-party IT Providers

“67% of respondents admit to having services hosted by external partners or in the cloud (of which 46% are outsourcing critical services)…” – 2014 Information Security Breaches survey, PWC.

In a global environment, IT responsibilities are inevitably connected to outsourced departments, hosting or cloud providers. These third parties, including vendors, external developers, services providers or other contractors, are essential to business operations. They may operate your network infrastructure, maintain your web site, provide email or CRM services, or host your ERP application. Using such services also means that your organization is willing to trust the administrators of this external company with all of its data (for example, private and business e-mails, customer information, and so on), or even with the operation of business-critical systems.

Typical methods for providing third party access include VPN or jump hosts. These solutions provide firewall rules, but they lack granular access control options. In addition, controlling the activity of external administrators with traditional methods (for example, with logging or internal policies) is quite difficult.

Giving responsibility to an IT service provider is always a security risk. You may control the partnership with your provider through a contract, but monitoring their employees is hardly manageable with a standard Service Level Agreement (SLA). Nowadays, companies do not have a reliable and easy-to-use solution for validating SLAs and verifying billable activities. Measuring Key Performance Indicators (KPI) such as response times or restricting external administrator access is also a challenging exercise. That is why monitoring these third-party accesses is essential, in order to know which external engineer is doing what once he/she connect to your systems.

4/9

Data center

UNRESTRICTED &UNMONITORED

ACCESS

Privileged Users Have Unfettered Remote Access

#3 Risk 3: Targeted Attacks Hijacking Privileged Accounts

“58% of respondents believe their networks could already have been breached by a foreign state sponsored attack or an advanced persistent threat.” – 2014 Survey of Information Security Professionals by Lieberman Software.

Privileged accounts have emerged as the primary target for cyber criminals and have been exploited to perpetrate some of the most devastating cyber-attacks and data breaches in recent years. Today, these cyber-attacks are so customized and sophisticated, that they can easily bypass traditional protection lines. APT (Advanced Persistent Threat) intruders prefer to leverage privileged accounts where possible, such as Domain Administrators, local Administrator accounts, service accounts, or privileged user accounts. Experts estimate that 80% of all serious security incidents involve privileged accounts. Just to mention a recent breach at Anthem, the second largest health-insurer in the US: 80 million personal records were stolen including names, addresses, and social security numbers. The attackers were able to pose as administrative insiders to access Anthem’s databases. This abnormal behavior went unnoticed for many months. The attackers’ activities were opaque to Anthem’s defenses and security staff, yet it turns out the activities were not stealth; there just weren’t tools in place to monitor or analyze database traffic to identify the abnormal behaviors.

To defend against APTs and cyber criminals, organizations must implement a privileged access management (PAM) strategy. It is important to minimize the lateral motion of intruders inside the network, implement strong authentication methods and strictly monitor privileged access.

5/9

#4 Risk 4: Regulatory Compliance & IT Audits

“By 2017, more stringent regulations around control of privileged access will lead to a rise of 40% in fines and penalties imposed by regulatory bodies on organizations with deficient PAM controls that have been breached.” – Gartner, Market Guide for Privileged Access Management, Felix Gaehtgens, Anmol Singh, 27 May 2015

Compliance is becoming increasingly important in several industries - laws, regulations and industrial standards mandate increasing security awareness and the protection of customer data. International security standards like the Payment Card Industry - Data Security Standard (PCI-DSS) or the ISO 27001, all mandate the strict control and monitoring of administrative access and third-party service deliveries. Regulations and failed audits are becoming serious concerns for CIOs/CISOs, as auditors are paying closer attention to privileged accounts, and regulations are forcing organizations to create a tamper-proof evidence for privileged access.

Having superuser privileges on the system, administrators have the possibility to directly access and manipulate data, and the ability to erase the traces of such actions from the logs. In addition, with standard log collector applications only a limited set of data can be collected. For example, IT auditors would miss critical actions like viewing or manipulating sensitive data by unauthorized personnel. Uncollected items in the log collection system result in many question marks when an incident occurs. Consequently, companies have to increase the auditability of their business processes, including the activity of privileged users. Organizations must find a reliable solution to audit the actions of their administrative users in order to ensure compliance.

Intentional or accidental security incidents caused by the IT staff (or in the name of the IT staff) can damage your company’s reputation, leading to lost future revenues. Without the proper controls in place, management can lose sleep if they rely solely on the good will of system administrators to prevent data breaches. That is the reason why it is essential to monitor privileged access - to know what your admins and outsourcing partners do when they connect to your systems.

The Solution - Privileged User Monitoring (PUM)

6/9

In such situations, it is reassuring to have an independent device that can reliably monitor all system administration activity. Privileged User Monitoring solutions can control privileged access to IT systems, record activities in searchable audit trails, and prevent malicious actions. It gives organizations the ability to oversee and audit IT admins. For example, PUM records system administrators when they update a database server or configure a firewall. The recorded audit trails can be replayed to review the events exactly as they occurred. The content of the audit trails can optionally be indexed to make searching for events possible. Keeping a record of work done secured in this way which makes individual employees accountable for their actions. The IT team can be sure that it won’t be held responsible for the actions of an individual. The recorded audit trails can also be used to settle any misconfiguration issues with remotely administered systems. Network-based PUMs completely isolate your sensitive systems from unknown intruders or from non-authorized users. In addition, they track all authorized access to data and provides with actionable information in the case of human errors or unusual behavior.

Authentication Access Control Real-Time Alerts Audit &

Fore

nsics

A

ctivi

ty Re

ports

Analy

ze

Detect

Prevent

Managers

Outsourcingpartners

IT staff

Cyber attacker

VDI users

SSH

HTTP, Telnet

RDP, VNC

Citrix

SSH

HTTP, Telnet

RDP, VNC

Citrix

Data center

Concept of Network-based Privileged user Monitoring

Privileged Access Control

By deploying a network-based PUM solution, additional control layers can be implemented. For example, using a strict login policy, disabling unused communication channels or file-transfers or setting up time period limitations. PUM tools act as a central enforcement point, requiring strong authentication before users access your sensitive IT assets. PUM can also restrict privileged access to sensitive databases. Its granular access management functionality helps you control who can access what and when in your IT systems. You can enforce policies for all privileged access in one single system, which guarantees a high level of security throughout your whole infrastructure at minimum costs.

Real-time Session Monitoring

To avoid accidental misconfiguration and other human errors, advanced PUM solutions support the “dual control” principle. This is achieved by requiring an authorizer to allow/deny remote administrators to access a remote server. The authorizer also has the possibility to monitor – and terminate - the work of the administrator in real-time, as if they were watching the same screen.

Network-based PUMs can monitor network traffic in real time, and execute various actions if a certain pattern (for example, a suspicious command, window title or text) appears on the screen. They can also detect specific patterns such as credit card numbers. In case of detecting a suspicious user action, they can send you an e-mail alert or immediately terminate the connection. For example, they can block the connection before a destructive administrator command, such as the „delete” comes into effect.

7/9

SLA Validation

In an IT outsourcing scenario, PUM is also a great tool to evaluate external engineers’ effectiveness. Consequently, control over SLA - and billable activities – can be improved, as the fulfillment of the services can be verified. For example, the PUM tool records as external administrators configure your CRM database, or maintain your mission critical SAP system during the night. The recorded audit trails can be used as (strong) evidence to settle any accountability issues about the remotely administered systems which is common interest of both the customer and the IT provider.

Cost-effective Audits and Forensics

When something goes wrong, everybody wants to know the root cause. Analyzing thousands of text-based logs can be a nightmare and may require the participation of external experts. Privileged User Monitoring solutions provide detailed information for troubleshooting and forensics situations to quickly uncover the root cause of incidents, improving IT operations. The ability to easily reconstruct user activity allows you to shorten investigation time and avoid unexpected costs. Quick investigations are further supported by PUM solutions which provide movie-like playback of recorded sessions – the easily interpreted recordings eliminate the need of costly external experts.

In addition, organizations can comply with external regulations (and internal policies), which specifically call for monitoring system administrators and third-party providers. By generating compliance - and custom activity reports, audit process is supported further and corrective actions can be made. As a tamperproof auditing tool, PUM helps organizations pass compliance audits of IT (outsourcing) processes.

Best practices for IT Staff Control

8/9

#1 Create Granular Access Policy Access management needs to be developed based on formal policies and processes. Create granular access policies for privileged users including restrictions based on various attributes, such as time periods or group membership. When developing access control/management systems, legal regulations and standards should be taken into consideration, and it is often worth treating users with privileged access separately.

#2 Grant Only the Necessary Privileges Each user, including privileged users, should only be granted the rights absolutely necessary to perform their duties. Even system administrators should only have access to those systems they absolutely need for business and operational reasons.

#3 “God Mode” Only in EmergenciesBuilt-in administrator accounts of the various systems (like “root”, “Administrator” and “System” accounts) are not generally required for daily operation. Access to these accounts should be restricted, and use of these accounts should be strictly controlled.

#4 Use Named UsersUse named user accounts properly for personal accountability. There needs to be careful assessment of users other than named users, when and why these accounts are in use, and how such options can be eliminated. Should technical reasons justify the use of shared user accounts, it’s then important to investigate what solutions can help mitigate the associated risks.

#5 Keep Shared Account Passwords Safe Often many administrative users access the same privileged account, and all of them know the password. Password vaults offer a way to store user credentials (for example, passwords, private keys, certificates) and use them to login to the target server, without the user having access to the credentials. Credentials for accessing the server are retrieved transparently from the vault. This automatic password retrieval is crucial to protect the confidentiality of passwords as users never get access to them.

#6 Implement a Central User Monitoring SolutionLog management systems are not always capable of recording the actions performed by privileged users. This gap is filled by Privileged User Monitoring (PUM) solutions, providing detailed and traceable records. More advanced solutions operate host-independently and transparently; therefore implementation of these systems does not interfere with daily business and operation.

#7 Enforce Strong Authentication for Privileged UsersEmploying sufficiently strong and secure identification for privileged user access is of key importance, because these users can have a significant impact on IT systems. Some PUM systems support authentication methods (for example, two-factor authentication) providing stronger security by default. Other systems, however, do not support this, and supplementary solutions become necessary.

#8 Develop Real-time Protection MechanismsIt is practical to determine whether privileged users have access to functions and/or data which are accessed only occasionally, yet pose a risk to the organization. If such a situation is discovered, protection measures should be taken. User activity monitoring systems that feature real-time alerts or can prevent execution of unwanted commands/ actions provide much higher added value than retrospectively analyzing logs.

#9 Provide Strong Evidence to Eliminate Finger- pointing Advanced PUM solutions provide encrypted, digitally signed and time-stamped recordings of administrative sessions. The recorded audit trails can be used as irrefutable evidence to settle any accountability issues about the remotely administered systems which is in the common interest of both parties. Beyond that, recordings help to verify the provider’s fulfillment of SLAs and billable activities, as well.

Summary

About BalaBitBalaBit – headquartered in Luxembourg – is a European IT security innovator, specialized in advanced monitoring technologies. It has sales offices in France, Germany, Hungary, Russia, in the UK and the United States and partners in 50+ countries. The main development centers are based in Hungary. BalaBit has customers all over the world including 23 percent of the Fortune 100 companies.

The company is widely-known for syslog-ng™, its open source log management solution, used by more than a million companies worldwide. This significant user base provides a solid ground for the business expansion which is fueled by Shell Control Box™, a pioneering development for the rapidly-growing niche of privileged activity monitoring market. Learn more at www.balabit.com

9/9

Internal and external system administrators are the most powerful users in an IT environment. Although these users typically sit at the bottom of the organizational hierarchy, they have very high or even unrestricted access rights to IT systems and applications. With superuser privileges on servers, administrators have the ability to directly access your company’s most sensitive information and service-critical configuration. No matter if internal privileged misuse, targeted cyber-attack or accidental error, these incidents can cause serious damage to the revenue and reputation of every organization. To mitigate this risk a privileged access management strategy should be implemented with privileged user monitoring and session recording as the focus.

Learn more about BalaBit's Privileged User Monitoring concept here.