Managing privileged user activity in the datacentre

FEATURE bloggers will try to block BitDefender’s IP addresses because its spidering robots are not bringing them any revenue from Internet advertisers. One way around this problem is to use anonymising proxy servers, Cosoi says, although this presents ethical issues. Even though URL scanning companies would be using these services to good ends, it is still a deceptive practice.

Getting the upper hand The battle between cyber-criminals using malicious URLs and the security companies trying to find them will continue, with each side attempting to get the upper hand. As always, the victims sit in the middle, hoping

that technologies such as cloud-based scanning, combined with blacklists of known malicious URLs, will save them. However, with criminals able to generate new domains quickly and cheaply, it is unlikely that URL scanning services will catch every bad link. As always, users must also be diligent when following URLs. Even with the help of URL scanning, it is probable that the number of web users infected by legitimate sites will continue to rise.

About the author Danny Bradbury is a freelance technology writer who has written regularly for titles including The Guardian, Financial

Managing privileged user activity in the datacentre

Times, National Post, and Backbone magazine in addition to editing several security and software development titles. He specialises in security and technology writing, but is also a documentary film maker and is currently working on a nonfiction book project.

References 1. Zetter, Kim. ‘BusinessWeek Site Hacked to Deliver Malware to Readers’. Wired, 15 Sept 2008. . 2. Google Safe Browsing API, Developer’s Guide (v2). .

Richard Walters

Richard Walters, Overtis The benefits of cloud computing have been well documented, as have the security risks associated with entrusting your data to a third party. Although there have been many definitions of what the ‘cloud’ entails, whether your third-party provider is offering software as a service, platforms as a service or infrastructure as a service, inside that cloud is a physical datacentre, run by human beings with privileged access to servers. So we need to consider the management of these privileged users’ activities. We’ll also look at the risks posed by trusted users in the datacentre. And we’ll list the questions that CISOs need to ask before placing data in the cloud and outline best practice for proactive governance of physical access to servers in the datacentre.

Source of breaches In its most recent report into data breach investigations, Verizon, working in association with the US Secret Service (USSS), found that 48% of data breaches in the past year were caused by 6

Network Security

insiders.1 The report also identified that almost half of these insider breaches involved employees who had privileged access. (The percentage of cases that involved insiders was considerably higher than in previous years because this was the first time USSS data had been included and that organisation’s cases involve a high percentage of insider breaches.) In its paper, ‘Cloud Computing: benefits, risk and recommendations for information security’, the European Network and Information Security Agency (ENISA) identified the power

held by the managed service provider’s systems administrator as one of the 10 most important risks specific to cloud computing.2 The external threat to data in the cloud is of primary concern to datacentre operators and enterprises alike. A survey of 100 hackers carried out by Fortify Software at the DEFCON 2010 Hacker conference in Las Vegas found that 45% had already tried to exploit vulnerabilities in the cloud, and 12% of them admitted that they had hacked systems for financial gain.3 Within the datacentre, a breach undertaken by an insider with privileged access rights would encompass access to backoffice systems that could affect compliance and business continuity. Therefore, when conducting a risk assessment within a datacentre, management of trusted users is as important as protecting the cloud from external attack by hackers.

November 2010

FEATURE

Figure 1: Who is implicated in data breaches? Source: Verizon.

The first piece of advice to companies considering outsourcing processes to cloud computing providers is to ringfence your data. Seek out a provider that can provide you with an encrypted vault or ‘clean room’ within the datacentre, which the service provider does not have access to. This will ensure that your provider cannot view personal or company data. Ideally, cloud computing needs to follow the model of remote back-up and email archiving services, whereby data is encrypted end-to-end. For business continuity, it’s also a good idea to keep a local, encrypted backup to ensure that your service provider does not have the only copies of your data.

The appliance of compliance Companies seeking to comply with PCI DSS, Financial Services Authority (FSA) regulations, ISO 27001 and the Data Protection Act often face the same questions from auditors. Ultimately, whichever standard you are bound by, compliance comes back to good governance of data and the management of user activity. As stated, the user with the most power is the systems administrator, who has privileged access to multiple servers and systems. It is for this reason that the ISO 27001 standard states that “the allocation and use of privileges shall be restricted and controlled.” Similarly, PCI

November 2010

DSS recommends “auditing all privileged user activity”. Experience teaches that there are some user activity management questions that IT managers and CEOs should ask their providers before they commit to the cloud. Here’s a top 10: 1. How do you ensure that your low man-count policy is enforced before changes are permitted on the datacentre server? 2. How do you ensure that out-of-hours changes are blocked or at very least audited? 3. Would you be able to identify which of your IT administrators swiped into the datacentre at 2am on Sunday? How would you verify that they were using their own swipe card? 4. If a member of your IT administration team logged into a single server using multiple legitimate user accounts, how would you know? Would this show up on your audit trail? 5. If a member of your IT administration team deleted event logs from three critical servers and from the central log management system, would you know? If you could audit this, how would you identify which member of the team had done this? 6. How would you know if one of your IT team copied the administrator passwords into an IM message? 7. Would you be alerted if one of your datacentre staff installed a remote access application on a key application server? 8. How do you enforce encryption of data backed up to removable drives prior to them being transferred to a third party? 9. If one of the staff was bulk copying client data to a local hard drive, how would you be alerted to this? 10. If a member of your IT administration team changed file permissions and printed off hard copies of your customer contracts, would this be flagged to your security personnel before that member of staff left the datacentre?

examples of the damage wrought by insiders: UÊ ˜Ê
Õ}ÕÃÌÊÓä£ä]Ê̅iÊ-
Êvˆ˜i`Ê<ÕÀˆV…Ê Insurance £2.28m after an unencrypted backup tape was lost. The tape contained the personal records of more than 40,000 customers. UÊ ˜Ê >ÀV…Ê Óä£ä]Ê ˆÌÊ Ü>ÃÊ Ài«œÀÌi`Ê Ì…>ÌÊ records of 24,000 HSBC Swiss bank accounts were stolen by a former IT consultant Hervé Falciani, who had privileged systems administrator access. It was alleged that Falciani intended to sell the stolen data. The bank has subsequently invested £62m to upgrade its security systems. UÊ ˜Ê
Õ}ÕÃÌÊ Óää™]Ê >Ê VˆÛˆˆ>˜Ê i“«œÞiiÊ of Essex Police admitted that he sold mobile phone records after accessing police intelligence databases 800 times.

Managing privileged user access in the datacentre The first step to managing user activity is to control physical access to your building. Cloud computing service providers should invest in strong physical access control systems. Turnstiles and circle locks should be considered and anti-passback should be considered mandatory. If possible, go further than card-based access and require biometric authentication for entry – using fingervein readers, for example, which cannot be easily subverted.

Real-world examples The above questions are not just based on risk management theory. Consider for a moment the following recent

Figure 2: How do breaches occur? Source: Verizon.

Network Security

7

FEATURE There are several advantages to this biometric authentication method. First, vein readers overcome the safety issue for employees with privileged access. A severed finger can theoretically be used on a fingerprint reader to gain access to critical systems. In contrast, a vein reader requires oxygenated haemoglobin to absorb the infrared light passing through the finger and provide the necessary contrast for authentication on the reader. Therefore, only a live finger will be authenticated. Second, vein patterns are unique – even identical twins show differences – and vein patterns remain constant throughout adulthood. Third, this biometric reduces false positives to one in a million and false negatives to one in 10,000. Authentication takes less than a second. Finally, the use of light rather than contact is more hygienic and so more acceptable to employees.

“Bad practices include the sharing of privileged user accounts, the use of default usernames and passwords and the granting of far broader privileges than necessary for a given privileged user to do their job” Integrating biometric-based access control with both CCTV and endpoint security on workstations and servers, provides the distinct advantage of creating time/date stamped audit trails of who did what, when and where within the datacentre. Integrating physical access control systems with endpoint security can be used to enforce low mancount policies, for example, ensuring that changes to servers and systems cannot be made unless at least two systems administrators are present. In his Quocirca whitepaper, ‘Privileged user management, it’s time to take control’, industry analyst Bob Tarzey writes: “Bad practices include the sharing of privileged user accounts, the use of default usernames and passwords and the granting of far broader privileges than necessary for a given privileged user to do their job”.4 Quocirca reports that of the 270 companies it interviewed, 41% 8

Network Security

admitted sharing access to administrator accounts for operating system access. By integrating endpoint security with biometric authentication and surveillance systems, sharing of user accounts is a physical impossibility.

The seven layers of user activity management Once you have secured the physical perimeter of your datacentre and invested in strong access control, the next step to preventing internal security incidents is to focus on the activity of users. By analysing common patterns of behaviour leading up to security breaches it is possible to define a seven-layer approach that sees and stops breaches before they can occur. The seven layers are: physical; transaction; file and folder; content; application; device; and user guidance. We’ll now look at these in more detail.

Physical layer Integrating endpoint security software with physical security such as door entry systems, CCTV, biometric devices and RFID systems significantly enhances the physical security perimeter. This ensures that only authorised personnel are able to access areas containing servers, laptops and workstations. Likewise, if a building management system event such as a fire alarm requires datacentre personnel to leave the building, endpoints can be locked down until users have re-entered the building and re-authenticated. This assists organisations and datacentre operators in complying with ISO 27001 requirements A 9.1.1-1.3, dealing with the physical security perimeter of an organisation; physical entry controls and securing offices rooms and facilities. Integrating endpoint security with physical security controls such as door entry systems, biometric authentication devices and CCTV ensures that even if an unauthorised person enters your facility, by stealing a swipe card or tailgating an employee through an entry point, information assets will remain inaccessible. Compliance with ISO 27001 A 9.1.5, ‘working in secure areas’, can be

achieved via user activity management software, which enforces specific policies for datacentres, server rooms and other designated secure areas.5

Transaction layer Two-factor authentication devices, including tokens, smartcards and biometric access control devices, can be greatly enhanced by integration with user activity management software that enforces when these devices have to be used to complete certain transactions. A visual audit trail, incorporating screenshots and/or CCTV images, proves not only that a specific user account from a particular workstation was used to perform an individual task but also who completed it. For sensitive operations, an individual command, menu option or button within an application can trigger a request for additional authentication – such as biometric identification of the individual – with real-time alerts sent by email and SMS to senior management and security personnel.

File and folder layer Policies can be created to manage user activity so that specific folders can be accessed by systems administrators, but files cannot be opened, copied, changed, deleted or sent. User activity management software can be used to provide on-screen prompts to query the action and alert the user that their activity is being monitored and that screenshots have been captured with time and date stamping, linked to door entry logs and CCTV images. Timed policies can be used to prevent access to certain files and folders outside of normal working hours.

Content layer User activity management at the content layer can be used to ensure that documents containing certain words, such as ‘confidential’, ‘blueprint’, ‘merger’, or project code words, cannot be copied, pasted, sent or printed. Keyboard input is constantly checked for the presence and frequency of certain keywords, phrases and data patterns, such as credit

November 2010

FEATURE card primary account numbers (PANs) or postcodes. Content layer management can also be used to enforce rules so that confidential files cannot be sent via email without being encrypted.

Application layer This allows all software changes to be monitored or prevented. The use of whitelists can ensure that only authorised applications can execute. Application-shaping features can restrict access to certain menu options, buttons or keystroke combinations, based on contexts such as time and location. Access to certain functions within permitted applications, such as print, save as, cut, copy or export, may be limited to specific locations – such as the console port – or removed altogether. In addition, concurrent use of applications can be controlled. This would, for example, prevent a user who had a sensitive spreadsheet open from being able to open an IM, email or webmail application at the same time. Controls cannot be overridden because the user activity management software blacklists utility program files and tools, and can even restrict what can be typed by individual users at the command prompt. With more and more configuration being undertaken using web interfaces, access to specific URLs can also be restricted, or access to any HTML element within the page managed. Any changes can be prevented and all authorised changes by systems administrators will be logged. Managing user activity at the application layer provides ongoing assurance that once system settings have been configured, they cannot be changed – or changed back – without this triggering a real-time alert to management and security personnel. This enables organisations to automatically manage privileged user access, as well as enforcing common security policies across the organisation.

Device layer This controls which devices can be connected to the network. The addition or removal of hardware can be prevented,

November 2010

or allowed but monitored. Rules can be applied governing when changes can be made, so that real-time alerts are triggered and CCTV images are captured if hardware is disconnected or reconnected out of hours, or if there are fewer than two people in the secure area at the time of the attempted change. For example, this would prevent hardware tampering or the addition of hardware keyloggers.

“Security breaches are often caused by diligent employees just trying to get on with the task in hand and not spotting the risks associated with doing things a certain way” By integrating logical security rules with physical access control, servers and workstations can be set to lock if a user swipes out of a secure area and hasn’t logged out, preventing a system administrator’s session from being hijacked while they’re out of the room. To protect critical systems, the integration with door entry systems and CCTV can also be used to enforce low man-count policies, to prevent systems changes unless a second person is in attendance.

User guidance layer Security and usability have always been inversely proportional. It has been reported time and again that security breaches are often caused by diligent employees just trying to get on with the task in hand and not spotting the risks associated with doing things a certain way. In addition, where security becomes too cumbersome, employees will look for workarounds. Dialogue boxes that ask the user if they wish to proceed, before attaching a sensitive file to an email or print out a confidential email, are extremely powerful in addressing unintentional data losses. User activity management solutions that provide on-screen prompts, reminders and dialogue boxes will be more likely to be accepted by users, because they allow the flexibility to enable certain ‘off-policy’ actions to take place if the user can provide a valid reason for that activity. The actions – with supporting

evidence from CCTV and screenshots – can still be captured.

Visual audit trails In the Verizon data breach report it was acknowledged that 87% of organisations that suffered a data breach already held evidence of earlier breaches within their system logs. However, these early warning signs had been overlooked, owing to lack of resources. It was also shown that there was a correlation between relatively minor policy infringements and a more serious breach of security further down the line. Verizon advises organisations to consider more proactive measures to protect against privileged user abuse by employing better employment vetting, separation of duties and restriction of privileged user access. The report concludes that: “privileged use should be logged and messages detailing activity generated to management.”

“Regular automated trend and exception reporting will quickly highlight unusual patterns of behaviour or suspicious user or system administrator activity” Integration of physical and logical security can be used to create a comprehensive visual audit trail of user activity. This provides a complete overview of how users interact with sensitive information in-house and in the cloud. Individual alerts detailing specific user actions can be supplemented with desktop screenshots, a screenshot of the relevant application window, all foreground window text and CCTV images. Each event is assigned a severity and is date and time stamped, with complete user and machine details. Regular automated trend and exception reporting will quickly highlight unusual patterns of behaviour or suspicious user or system administrator activity. The type and volume of any particular activity can be quantified and monitored to enable rules to be tuned to prevent certain actions or to strengthen existing controls. As soon as a critical or

Network Security

9

FEATURE another – link CCTV sequences and desktop screenshots with certain user actions or entry to secure areas – to provide a visual audit trail of events. In so doing you will be able to create a highly effective holistic security system that recognises and blocks risky behaviour, alerts management as events are taking place and prevents security breaches.

About the author:

Figure 3: A visual audit trail covers all seven layers and provides a complete overview of user activity – in-house and in the cloud.

severe security event takes place, immediate email, SMS or pager alerts can be sent to security staff and management, enabling a rogue administrator to be apprehended before he/she leaves the premises.

Conclusion While the cloud offers significant benefits for flexibility and scalability, we cannot ignore the risk posed by users with privileged access to secure areas in the datacentre. We need to quantify the data that can be lost and document key user workflows to understand how staff interact with data. Critical assets may contain specific project names, codenames or data types (such as credit card details). User activity management solutions – in monitor-only mode – can help define these workflows. Consider using strong physical access control incorporating biometric readers integrated with endpoint security. If you can restrict access to sensitive data on a true need-to-know basis, then you can reduce the likelihood of it being leaked and more easily identify the source of any breach in the event that an employee is acting maliciously. Protect your data across the seven layers of interaction: physical, transac10

Network Security

tion, file and folder, content, application device and user guidance.

“You will be able to create a highly effective holistic security system that recognises and blocks risky behaviour, alerts management as events are taking place and prevents security breaches” Individuals are often unaware that their actions constitute a potential data breach. Alerting employees to any action that conflicts with approved procedure, or warning them when they access restricted documents, provides a gentle reminder of security policy. Solutions that mentor rather than simply block activity will be less likely to prompt innocent employees to search for workarounds. Integrate dialogue boxes presented with physical security such as CCTV images and access control systems, so that you have a record of who was working on a particular file or server at the time the risky activity was detected – and not just which user account was used. This can help to identify employees that might need amended access privileges or updated training. Ensure that your physical and logical (IT) security systems can talk to one

Richard Walters is CTO at Overtis (www. overtis.com), a vendor of user activity management technology that integrates endpoint security with physical security systems including access control systems, CCTV and RFID. Prior to joining Overtis, Walters was CTO at Integralis. An expert in the information security industry, he has worked as a security architect, tester and compliance auditor and has more than 20 years’ experience in the IT industry working with blue-chip vendors including Digital, Dell and Panasonic, complemented by experience in end-user roles.

References 1. ‘2010 Data Breach Investigations Report’. Verizon Business and US Secret Service, July 28, 2010. Accessed Oct 2010. . 2. ‘Cloud Computing: Benefits, Risks and Recommendations for Information Security’. European Network and Information Security Agency. November 2009. Accessed Oct 2010. . 3. ‘DEF CON survey reveals vast scale of cloud hacking – and the need to bolster security to counter the problem’. Fortify Software. 24 August 2010. Accessed Oct 2010. . 4. Tarzey, Bob. ‘Privileged user management, it’s time to take control’. Quocirca. . 5. Walters, Richard. ‘Realising Compliance’. Overtis. .

November 2010