A year after the Terry Childs case, privileged user problem grows

Figuring out how to manage those who manage the network keys is crucial for security

One year after former network administrator Terry Childs made national headlines for locking up access to a crucial San Francisco city network, the issue of how to protect corporate systems against the very people who manage and administer them remains as thorny as ever.

Just yesterday, Lesmany Nunez, a former computer support technician at Quantum Technology Partners (QTP) in Miami, was sentenced to a year in jail for illegally using his administrator account and password to shut down the company's servers from his home computer. Nunez also changed the passwords of all the IT systems administrators at the company and deleted certain files that would have made data restoration from backup tapes easier. His actions resulted in more than $30,000 in damages to QTP.

[ Read Paul Venezia's jailhouse interview with Terry Childs | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Numerous similar cases, including ones involving Fannie Mae and Pacific Energy Resources Ltd. have been reported over the past few months, each one causing considerable damage and disruption to the companies involved.

Childs is awaiting trial after being jailed last July on a $5 million bond for resetting administrative passwords to switches and routers on San Francisco's FibreWAN network, and later refusing to divulge the new passwords thereby locking up the network.

Such sabotage can be extremely difficult to stop because it involves users with legitimate administrative access to critical systems. But contributing to the problem is the continuing failure by many companies to adequately manage the numerous user accounts and passwords that control privileged access to critical corporate networks and systems.

Although the issue is well recognized by security experts, far too many companies continue to overlook it, said Sarah Cortes, an analyst with Inman TechnologyIT. The threat is "highly underestimated," Cortes said.

"It's not a sexy issue, but it's a fundamental security issue," said Cortes, a former tech executive at several financial services companies.

Large companies can have thousands of account names and passwords that provide root access to applications, databases, networks and operating systems. While not all of them are critical to the enterprise, there are numerous accounts that if abused can cause serious disruptions enterprise wide.

Some companies can have anywhere between 10 and 70 people with root-level access to such critical systems, Cortes said. These could be staff who require access for system or database maintenance purposes, for patching or upgrading applications, and other valid reasons. The number of people with such access is usually far greater than managers might know about or track, Cortes said.

The situation is worse in environments with older legacy systems that are no longer being actively supported but need to be maintained all the same. There can be numerous individuals in such situations who have been provided emergency, or temporary, root-access to a system in response to a specific need, but whose access is then never later revoked, she said.

Many companies today do not have adequate termination controls for quickly removing access rights when a person leaves a company.

Another problem is the fact that privileged passwords are often shared among multiple staff who might need access to the same system for various reasons. "When you are talking about a shared password you might not even know who has access to the password [over time]," said Boaz Gelbord, executive director of information security at Wireless Generation Inc., a technology services provider to the educational market.

Because such passwords are shared by people across multiple functional groups, they are seldom changed and, over time, end up being used by numerous individuals.

Many companies are still failing to adequately log and audit the use of such shared passwords to gain access to critical systems, Gelbord said. "There is a fundamental difference between a regular password and a shared password," he said.

While companies have fairly mature processes for forcing changes for regular passwords, few have the same processes for privileged passwords, he said.

More tools are becoming available to companies to help better manage privileged access accounts. Though such tools can do little to stop a really determined insider from abusing his or her privileged access, they do make it harder, Gelbord said.

His company is using a password management tool from Cyber-Ark Inc. to centralize privileged user accounts, apply policies to them, as well as log and audit their use.

"I think the real benefit of having such tools is not so much about preventing a particular person from hitting a particular system," Gelbord said. Rather it's more about instituting a process for controlling access to privileged accounts, he said. "You want to know exactly who has access to your critical systems at all times".

Cyber-Ark's products are designed to help companies centralize and securely manage privileged accounts, and can be used to automatically change passwords, as well as audit and log use.

The technology can be used to enforce privileged account policies on Unix/Linux, Windows, Cisco, Oracle, SAP, and other environments. The company is one among a handful of others, including Symark International Inc. and e-DMZ, to offer tools designed to help companies better manage privileged accounts.

While such tools can be useful, it's vital that companies monitor the alerts generated by them, and sift through the false-positives, Cortes said.

Security managers need to do a daily audit and control report looking at all of those who have access to critical systems and ensuring that they have them for a legitimate reason, she said.

"I wouldn't expect to see more than one or two names for any application," Cortes said. "When you start to see the number grow, it's time to look into the matter."

This story, "A year after the Terry Childs case, privileged user problem grows" was originally published by Computerworld.

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform