Thursday 8 March 2018

Protect by Managing Your Superusers


Written by Will Lambert



Credit – YouTube, WhatCulture

The inner geek comes to the fore now…. When I was thinking about writing this blog, the term “Super” obviously conjured up images of Superheroes. How better to personify the Superuser than by using characters who showcase powers which no one else has – Superman for example. In the Detective Comics (DC) world, when Superman is exposed to Black Kryptonite, two entities exist - good and bad, light and dark. Although Superman can use his powers for good, should Metropolis be faced with the dark Superman, his powers can inflict absolute devastation.

The term Superuser is used to describe a special user account which is used for system administration. Depending on the Operating System (OS), a Superuser account can come in the form of root, sysadmin, administrator, admin, supervisor or alike. Superusers are usually a prime target in a cyber-attack because of the amount of power they hold over a network. Generally speaking, a Superuser can;

·         Create Accounts
·         Delete Accounts
·         Elevate privileges assigned to accounts
·         Have unfettered access to all areas of the network



Typically, Superuser accounts are shared among a group of users, with the names of the accounts kept as default - admin, root etc. What is even more alarming, is the accounts are typically secured only with a password - which is usually commonly known or can even be a repeat of the account name;




Credit - https://cirt.net/passwords?vendor=Microsoft
This is recognised as commonplace by the security industry. The OWASP Top Ten (2017) specifically addresses this weakness in “A6 - Security Misconfiguration”;

Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system.”

Cyber Criminals and other Threat Actors commonly exploit this weakness. When authors code Malware, they will program it to hijack Superuser accounts. Like a parasite, the Malware will latch onto the Superuser, using its credentials to spread through the network. The BadRabbit ransomware for example was programmed with several well-known Superuser aliases including Admin, Administrator and root. To accompany the usernames, the authors of the ransomware also supplied well known passwords such as, admin, admin123, password, qwe and qwe123. Malware used to create Botnets also supplies similar information to take control of devices, my previous blog “Cyber Criminals set to Reap the benefits of an insecure IoT” describes the rapid increase of this threat.

The “access all areas” power attributed to Superusers is typically why Threat Actors (TA) target Superuser accounts. Through compromising a Superuser account, TA are able infiltrate and traverse through a network, undetected while surveying where your key data is – customer / client Personal Data, Intellectual Property etc - then move to steal it. Not unlike how Clarkson’s were breached in November 2017. Clarkson’s communicated in the statement below;

“the unauthorised access was gained via a single and isolated user account”





I do recognise the reasoning behind why people share accounts. To put it simply, the view to share a Superuser account makes it easier to manage, I get that. However, we must be aware that when we share a Superuser account, we have no way to track and assign accountability. No method to define who does what with any given Superuser account. Given the power they can wield within your environment, Superuser accounts must be individually owned.

Let’s examine the implications of having individually owned Superuser accounts. How many Superuser accounts do you have in your domain? And how many users share the use of those Superusers? For example, if I had only 10 Superuser accounts but those accounts were shared by 20 users, I will have to create and manage an extra 200 accounts. It is more work, but it is work that will help to secure your network.

What will always escape me is why these accounts are secured using well-known passwords. Your Superuser accounts must be subject to the same password policies as all your users are. Like normal accounts, password policies must apply to Superuser accounts, Passphrases can be used, password change periods, password complexity, the use of multifactor authentication and so on. This task can be a bane to bear, but there are methods which will enable you to properly manage your Superuser accounts.

We must remember service accounts. service account is a special user account that an application or service uses to interact with the operating system. For example, a service account will be allocated for the use of printers and other services available on your network, and because we need to pool our resources (i.e. share a printer for more than one user) - service accounts are generally attributed the same luxuries as a Superuser account, specifically the “access all areas” power. Again, this has a darkseid. They are commonly targeted for hijack in a cyber-attack. BadRabbit Ransomware was hardcoded to target common service account usernames such as ftp, ftpadmin, nas, nasadmin and rdp, accompanied with favoured service account passwords, 123, 123321, 1234, the killing joke continues.

Going back to the example of individually owned Superuser accounts, now add in all your service accounts…. The task of network administrators to properly manage through securing all these accounts will require a lot of cost and in the event of a cyber-attack – one network security team against a spreading threat, will likely be overwhelmed. However, there is hope.

Service accounts and Superusers are known as Privileged Identities or Users. Tools which secure thorough managing all your privileged accounts are known as Privileged Identity Management (PIM) or Privileged User Management (PUM). PIM / PUM is absolutely the best way to regain control over your network in the event your privileged identities are hijacked.

Let me pose a scenario for you. An unwitting user clicks on a Phishing link which subsequently downloads malware onto your network. Let’s imagine this is a brand new, previously unregistered Ransomware, therefore there is no known signature to flag any alerts. The first indication you get is likely to be in the form of a user calling the service desk and describing a ransom screen. The Ransomware moves from machine to machine, encrypting your company’s key information and continues to spread because it has been able to hijack a Privileged Identity. What are your first actions? How can you further protect other machines within your environment from being infected? Through a single console, PIM / PUM will be like a Kryptonite bullet & take down the Dark Superman. PIM / PUM will be able to change the credentials of all your Privileged Identities within minutes and you will recover control over your network, preventing any further spread of destruction within your Metropolis.

Hopefully the good side will prevail, because an Evil Superman is not someone we want flying around our city
-          Supergirl