Written by Will Lambert
The inner geek comes to the fore now…. When I
was thinking about writing this blog, the term “Super” obviously conjured up
images of Superheroes. How better to personify the Superuser than by using
characters who showcase powers which no one else has – Superman for example. In
the Detective Comics (DC) world, when Superman is exposed to Black Kryptonite,
two entities exist - good and bad, light and dark. Although Superman can use
his powers for good, should Metropolis be faced with the dark Superman, his powers
can inflict absolute devastation.
The term Superuser is used to describe a special user account which is used
for system administration. Depending on
the Operating System (OS), a Superuser
account can come in the form of root,
sysadmin, administrator, admin, supervisor or alike. Superusers
are usually a prime target in a cyber-attack because of the amount of power
they hold over a network. Generally speaking, a Superuser can;
·
Create Accounts
·
Delete Accounts
·
Elevate privileges assigned to
accounts
·
Have unfettered access to all areas of
the network
Typically, Superuser accounts are shared among
a group of users, with the names of the accounts kept as default - admin, root
etc. What is even more alarming, is the accounts are typically secured only with a password - which is usually
commonly known or can even be a repeat of the account name;
This is recognised as commonplace by the
security industry. The OWASP Top Ten (2017) specifically addresses this
weakness in “A6 - Security Misconfiguration”;
“Attackers will often attempt to exploit
unpatched flaws or access default accounts, unused pages, unprotected
files and directories, etc to gain unauthorized access or knowledge of the
system.”
Cyber Criminals and other Threat Actors
commonly exploit this weakness. When authors code Malware, they will program it
to hijack Superuser accounts. Like a parasite, the Malware will latch onto the Superuser,
using its credentials to spread through the network. The BadRabbit ransomware
for example was programmed with several well-known Superuser aliases including
Admin, Administrator and root. To accompany the usernames, the authors of the
ransomware also supplied well known passwords such as, admin, admin123, password,
qwe and qwe123. Malware used to create Botnets also supplies similar
information to take control of devices, my previous blog “Cyber Criminals set to Reap the benefits of an insecure IoT”
describes the rapid increase of this threat.
The “access all areas” power attributed to Superusers
is typically why Threat Actors (TA) target Superuser accounts. Through
compromising a Superuser account, TA are able infiltrate and traverse through a
network, undetected while surveying where your key data is – customer / client
Personal Data, Intellectual Property etc - then move to steal it. Not unlike
how Clarkson’s were breached in November 2017. Clarkson’s communicated in the
statement below;
“the unauthorised access was gained via a single and isolated user
account”
I do recognise the reasoning behind why people
share accounts. To put it simply, the view to share a Superuser account makes
it easier to manage, I get that. However, we must be aware that when we share a
Superuser account, we have no way to track and assign accountability. No method
to define who does what with any given Superuser account. Given the power they
can wield within your environment, Superuser accounts must be individually owned.
Let’s examine the implications of having
individually owned Superuser accounts. How many Superuser accounts do you have
in your domain? And how many users share the use of those Superusers? For
example, if I had only 10 Superuser accounts but those accounts were shared by
20 users, I will have to create and manage an extra 200 accounts. It is more
work, but it is work that will help to secure your network.
What will always escape me is why these
accounts are secured using well-known passwords. Your Superuser accounts must
be subject to the same password policies as all your users are. Like normal
accounts, password policies must apply to Superuser accounts, Passphrases can
be used, password change periods, password complexity, the use of multifactor
authentication and so on. This task can be a bane to bear, but there are
methods which will enable you to properly manage your Superuser accounts.
We must remember service accounts. A service
account is a special user account that an application or
service uses to interact with the operating system. For example, a service
account will be allocated for the use of printers and other services available
on your network, and because we need to pool our resources (i.e. share a
printer for more than one user) - service accounts are generally attributed the
same luxuries as a Superuser account, specifically the “access all areas” power.
Again, this has a darkseid. They are commonly targeted for hijack in a cyber-attack.
BadRabbit Ransomware was hardcoded to target common service account usernames
such as ftp, ftpadmin, nas, nasadmin and rdp, accompanied with favoured service
account passwords, 123, 123321, 1234, the killing joke continues.
Going back to
the example of individually owned Superuser accounts, now add in all your
service accounts…. The task of network administrators to properly manage through
securing all these accounts will require a lot of cost and in the event of a cyber-attack
– one network security team against a spreading threat, will likely be
overwhelmed. However, there is hope.
Service
accounts and Superusers are known as Privileged Identities or Users. Tools
which secure thorough managing all your privileged accounts are known as Privileged
Identity Management (PIM) or Privileged User Management (PUM). PIM
/ PUM is absolutely the best way to regain control over your network in the
event your privileged identities are hijacked.
Let me pose a scenario for you. An unwitting user clicks on a Phishing link which subsequently downloads malware onto your network. Let’s imagine this is a brand new, previously unregistered Ransomware, therefore there is no known signature to flag any alerts. The first indication you get is likely to be in the form of a user calling the service desk and describing a ransom screen. The Ransomware moves from machine to machine, encrypting your company’s key information and continues to spread because it has been able to hijack a Privileged Identity. What are your first actions? How can you further protect other machines within your environment from being infected? Through a single console, PIM / PUM will be like a Kryptonite bullet & take down the Dark Superman. PIM / PUM will be able to change the credentials of all your Privileged Identities within minutes and you will recover control over your network, preventing any further spread of destruction within your Metropolis.
Hopefully
the good side will prevail, because an Evil Superman is not someone we want
flying around our city
-
Supergirl