Modern field guide to security and privacy

OPM hack may finally end overuse of 'privileged' user access

Office of Personnel Management attackers entered the agency's network with a username and password belonging to an external contractor. As a result, security experts are renewing calls for stricter limits on this kind of privileged access. 

Susan Walsh/AP
Office of Personnel Management Director Katherine Archuleta, left, returned to Capitol Hill on Thursday to testify in front of the Senate Homeland Security and Governmental Affairs Committee.

The widening data breach at the Office of Personnel Management has focused attention on the longstanding failure by many large organizations to properly protect user accounts that have broad – or privileged – access to critical digital systems and data.

In testimony before lawmakers this week, OPM Director Katherine Archuleta disclosed that in one of the two recently discovered intrusions at the agency, intruders gained access to its systems using a username and password belonging to an external contractor working for the agency.

The attackers then leveraged that foothold to access a critical database and siphon out sensitive personal data belonging to an estimated 4 million current and former federal workers. Their activity remained hidden from view since it was carried out under the guise of someone with legitimate access rights.

The same tactic has been used repeatedly and with stunning success by malicious hackers in numerous attacks recently, most notably the late 2013 Target hack that exposed data on more than 40 million credit and debit cards. The intrusion at health insurer Anthem also is believed to have resulted from attackers gaining access to usernames and passwords belonging to multiple employees, including a network administrator.

"I don’t want to bash government. But there’s absolutely no reason why [the OPM breach] won’t be taken as an opportunity to think and act differently," on the privileged user issue, says Udi Mokady, chief executive officer of CyberArk, a security firm that sells a product to help organizations control access to privileged accounts.

It’s not untypical for an organization to have thousands of privileged accounts across its networks and not even be aware of their existence, Mr. Mokady says. 

In a report to Congress earlier this year, the White House Office of Management and Budget estimated that at the end of 2014, more than 134,280 federal accounts had privileged access to systems with just a username and password. The OPM itself has not revealed how many such accounts it has. But in her testimony to lawmakers this week, Ms. Archuleta noted that 47 of OPMs biggest applications are still protected only by usernames and passwords.

Following the OPM breach disclosure, federal Chief Information Officer Tony Scott announced a 30-day "cybersecurity sprint" for bolstering key security capabilities at federal agencies. The most significant among them is a requirement for all agencies to tighten policies and practices for privileged users.

Mr. Scott’s instructions call on federal agency CIOs to minimize the number of privileged users and to limit functions that can be performed when using such accounts. It also require agencies to limit the duration of time that a privileged user can be logged into an account and to limit the actions that can be taken when someone is logged in from an external location.

Privileged accounts allow systems and network administrators to perform needed tasks like maintaining systems and software, applying security and software updates, and other routine administrative tasks. All computer systems, network equipment, applications, and databases have these special access controls built into them.

Anyone with rights to these accounts has potentially a way to take complete control of the system if they chose to do so. The problem is a well-understood one and numerous incidents over the past have highlighted just how critical it is for organizations to ensure that privileged accounts cannot be abused to steal data or sabotage systems.

One of the most dramatic of them happened in 2008, when Terry Childs, a network administrator at the City of San Francisco, reset passwords to a crucial city network locking city officials out of it for nearly 10 days, over a work related dispute. Over the years, there have been numerous other incidents where privileged access rights have been abused to sabotage systems, snoop on and steal intellectual property and sensitive data from organizations.

Many incidents of privileged access abuse have involved insiders. But as the recent breaches have shown, an external attacker who gains access to credentials with elevated privilege can create the same havoc and remain mostly hidden while doing so.

Security best practices require organizations to protect these accounts and ensure that anyone that has access to them cannot abuse their rights. A slew of tools are available that tightly restrict, monitor, and audit what administrators can and cannot do with their access.

One of the keys to addressing the problem is limiting the number of people who have access to such accounts and also how much access they have, says Morey Haber, platform product manager and vice president at vice president of technology at BeyondTrust, a security firm. The goal should be to enforce the principle of least privilege, where users strictly have the access to do what they are required to do but nothing else. Also key are measures like safe storage of passwords, constant password rotation and proving complete visibility into what a privileged user is doing with that access, Mr. Haber said

Even though the privileged access issue is getting more attention, and federal officials are calling for change, few are holding their breath that any significant change will happen quickly.

Bob Lentz, former chief information security officer at the Department of Defense, says procurement practices at federal agencies continue to be a huge hindrance to improvement.

Moving federal agencies to new security technologies in a quick manner is almost impossible under present conditions because of how long it takes to work through the vetting and purchasing cycle, he says. “Cyber gets treated like buying airplanes and ships and tanks," says Lentz. "It’s ridiculous."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.