Mike Winslow, Senior IAM Consultant, SecureITsource, Inc.
Yahoo, Target, JP Morgan Chase, Home Depot, eBay, RSA, Deloitte, Equifax. I don’t have to tell you what these companies all have in common. It seems we can’t make it through the week anymore without hearing about another security breach. I wasn’t real concerned when it was just a retail outlet or fast food company like Target and Sonic. But once they start hitting my bank, security firms, and the keepers of my credit history, I start to sit up and pay attention. If places like RSA, Deloitte, and Equifax can’t keep my data safe, who can? And how is it that companies like RSA and Equifax are getting breached in the first place? Aren’t they supposed to be the Cyber Fort Knox’s of the world? In my opinion the answer to these questions is simple. Arrogance and laziness.
Good security practices require effort and a willingness to accept the fact that everyone is vulnerable. For example, Deloitte had an email server compromised that was hosted on Azure with the admin account only requiring a password. Multifactor Authentication wasn’t enabled. Why not? Was it too much effort to enable? Or maybe they felt they had a lock on their security and were impenetrable. Arrogance and laziness.
The intention of this article is not to call out Deloitte or any of the other breached companies but to address something that I have experienced firsthand as a system administrator and security consultant. I have 20 years of combined experience in IT administration so I have seen arrogance and laziness at its best. Let me give you an example.
When working for a previous company, they had extremely strict security policies regarding password management for shared admin accounts. The password had to be 16 characters using upper, lower, numeric, and special characters. In addition, it had to be rotated every 90 days unless someone with access to the accounts left the company or moved to a new position. In that case the passwords all had to be rotated within 7 days. On the surface this sounds like good security but when you look at what was really happening, a different picture of their security emerges. First, all their accounts had the same password. That means once I obtain the password for one local admin account, I have freedom to move from one server to another. Second, when they rotated the 16-character password, all they did was increment it, changing it from 16CharacterPass#1 to 16CharacterPass#2. Now if I was a former employee and had been there through a couple of password rotations, how hard would it be for me to figure out what the new password was changed to after I left? Yes, it is hard to type in a randomly generated 16-character password which is different for all 200 of my servers but is looking for a new job any easier? Laziness.
I have also worked with administrators that felt that their network and systems were so completely locked down and protected from breach that they became lax in their approach to managing their own credentials and applying security patches to their systems. They seemed to have the attitude that no one could get in to their network so it wouldn’t matter if they delayed installing new security patches for a few weeks until they had more time to work on the patching. Arrogance.
What’s interesting is that it seems more emphasis and oversight is given to regular non-admin users than is given to the protectors of the kingdom. These protectors make sure security policy is enforced on the end-user without exception. They enforce all types of Group Policies on the end user workstations and individual accounts. However, when it comes to their own admin workstations and accounts they tend to disable this or modify that to make their job of protecting the kingdom easier. After all, they know what to look for, they know how to prevent a breach, and they are so strong and well protected that it isn’t going to happen to them anyway. Arrogance and laziness.
When an analysis of the major breaches of the past few years is done, most if not all can be traced back to the compromise of shared admin accounts. Tools such as CyberArk which are intended to keep these accounts safe will not be successful if the security features are disabled or modified to make it easier for the system administrators. I had one admin ask me if I could make the passwords in CyberArk be something easy to remember for the first 12 characters of all their Windows admin accounts and just rotate the last 4 characters so that it would be easier to remember. Installing a security tool like CyberArk isn’t going to prevent a breach if it’s modified to make it “easy” on the admin. As with any other tool in the admins security arsenal, it is only as good as the admin that uses it. Arrogance and laziness is by no means the only weakness or cause of a security breach but it is a good place for you to focus and maybe do some internal reflection to see if maybe your own security habits could use some strengthening. Twenty years ago, arrogance and laziness could have been overlooked but in today’s fast changing Cyber Security world, there just isn’t any room or excuse for their existence.