The power of privilege

There's an old saying that "Power tends to corrupt, and absolute power corrupts absolutely." While traditionally applied in the political arena, the same concepts hold true for most organisations from a security perspective. Unchecked power, often in the form of access rights and privileges, can lead to damaging security incidents in any organisation.

Often, the most powerful entities in any organisation are found in the form of privileged accounts and identities, since they provide the widest and deepest access to systems and their underlying data. These accounts enable the most influential IT users in an organisation to accomplish their tasks with the required elevated permissions, access rights and administrative capabilities. Often these accounts are the least managed, monitored or controlled. They provide anonymous or untracked access, since these are shared, generic accounts that are not typically associated with an individual user.

Traditionally, organisations managed these privileged accounts by "trusting" the administrators and personnel with access to only use them "as needed" and not abuse them. Unfortunately, as we find out time and time again, trust is not a security policy. We've seen several recent examples of how pervasive and powerful these privileged accounts are - and what the consequences can be if they go unchecked. Consider these examples:

* An IT contractor was recently indicted for illegally accessing a privileged account, compromising a computer system used by Pacific Energy Resources to monitor offshore oil platforms in California and Alaska. The contractor crashed the system, and while thankfully there was no environmental disaster as a result, this company is reporting his actions caused thousands of dollars of damage;
* Yusuf Acar, Washington D.C.'s CSO, is still in jail on charges of the bribery scheme he was running out of his office. One of the biggest challenges facing authorities is understanding how pervasive his access was to systems and information in the IT infrastructure - Acar had set up backdoors throughout the organisation through his privileged accounts;
* In one of the most infamous cases of privileged abuse, IT worker Terry Childs was charged with bringing San Francisco to a grinding halt last year by using his privileged admin account to lock down the San Francisco IT system;
* Fannie Mae narrowly avoided a devastating attack after a former employee used his privileged access to implant a logic bomb on the company's network that could have brought the network down entirely.

These are just a few of the more recent and sensational examples of privileged abuse. While these incidents are often written off simply as further examples of "rogue insiders," what this really constitutes is continued organisational failure - giving near omnipotent power to individuals with little recourse to get that power back, or monitor the activity that's taking place during these privileged sessions.

Fueled by these headlines, the power of privileged accounts and their potential abuses have started to capture broad attention, especially by our government. The SANS Institute, in conjunction with several federal agencies including the DoD, recently released the Consensus Audit Guidelines, highlighting 20 critical security controls that are viewed as essential for blocking potential security incidents. The automated and continuous control of administrative privileges was high on the list.