When outsiders become insiders
- By John Walsh
- Dec 14, 2017
No matter how much money agencies can spend on cybersecurity products and services, it will come to little good if basic and foundational security protocols are not observed. A malicious outsider can quickly become an insider, rendering a cybersecurity budget null and void.
Consider this cautionary tale:
Bill is the chief security officer of Agency Z. Just after the building's security checkpoint, he sees Karen from cryptography, who says that the agency's IT admin Ross has been hard at work since about 5:00 a.m. This seems odd, because Ross is not known as a morning person. Karen says Ross requested access to the agency’s highly sensitive database for maintenance purposes. His access credentials and keys were older, she says, but they still checked out, so she let him continue.
Walking past the water cooler, Bill says hello to Deb from data loss prevention. She mentions that she’s surprised how hard Ross has been working this morning, transferring gigabytes of data around the network. Deb figures there must be a major update in the works, and Bill agrees that must be why Ross came in so early. Bill is impressed with Ross’s initiative to work off-hours, and he asks what kind of data Ross has been transferring.
Deb confesses that she hasn’t the slightest idea. Everything is encrypted for security reasons, so she can’t see what kind of data is moved in and out of the system. However, she tells Bill that Karen from cryptography said his credentials checked out, so there's no need to worry. Ross is a trustworthy employee.
Bill feels a rising sense of unease, though he can’t pinpoint where it’s coming from.
He stops by Pete's office -- Pete is in charge of privileged access management (PAM) and asks if he’s had contact with Ross today. Pete tells him that, in fact, Ross worked around him by using an SSH key pair. When Bill says that seems like a breach of protocol, Pete assures him that this type of thing happens all the time. Pete mumbles something about how he’s never bothered to check for new SSH keys after vaulting all the SSH keys on his first day of work. He supposes he could continuously discover SSH keys, but that seems like a lot of work.
Bill’s unease grows stronger as he arrives at his own office and starts his computer. His login fails; he realizes he’s forgotten his password again. As if on cue, his phone rings. It’s Ross, who is coughing and sniffling. He apologizes for calling so late in the work day, but…
A fearful realization grips Bill. “You’re…you’re not in the office?” Ross confirms this, explaining that he called to say he is sick and won’t be in today. “If you’re not here, then who is roaming through all our critical systems and moving massive amounts of encrypted data out of the network?”
How can agencies avoid this scenario?
First, Bill and his team must realize there is no perimeter anymore. Every day, attackers find new ways to breach perimeter security through ransomware, malware or phishing through social engineering. A determined attacker will get in, turning an outsider to an insider, so the security mechanisms agencies have in place to mitigate the damage will be the most important.
Second, the agency's security team should implement these best practices to mitigate attacks resulting from the theft of credentials like SSH keys.
- Continuously monitor network environments for new SSH key deployments to ensure PAM systems are effective.
- Use short-lived credentials to eliminate the need for passwords or burdensome and intrusive PAM systems.
- Decrypted and inspect all internal and external traffic because encrypted traffic renders data loss prevention tools and firewalls useless.
The entity masquerading as Ross could have been any number of individuals or organized crime gangs that seek access to government data. The individual or group could have been lurking deep in the network for some time, watching and learning before striking. The result could be a massive data breach that depletes citizens’ confidence and, depending on the type of data stolen, could put people, national interests or government secrets at serious risk.
Privileged access management must be taken seriously as part of an overall cybersecurity strategy. The best practices listed above can help agencies avoid becoming the next sad story.
John Walsh is the director of product marketing at SSH Communications Security.