The story below is true in essence, if not in particulars, and it is one that has played out many times across all sectors.
The IT security head of a major federal agency — we’ll call him Sam — comes to work one morning. He meets Susan from cryptography, who mentions that one of their IT admins, Larry, has been working since 5 a.m. Sam finds this strange because Larry is a night owl. Susan tells him that Larry requested access to the agency’s primary database for maintenance purposes. Though his credentials and keys were older, they were still viable, so Susan granted his request.
As Sam reaches his office, he comes across David, who works in Data Loss Prevention. He shares his surprise at how hard Larry has been working this morning, transferring gigabytes of data around the network. David figures there must be a major update in the works, and Sam agrees that must be the reason. Sam is impressed with Larry’s initiative to work off-hours, and he asks what kind of data Larry’s been transferring.
David doesn’t know. After all, Data Loss Prevention can’t see what kind of data is moved in and out of the system if it is encrypted. However, he tells Sam that Susan from cryptography said his credentials checked out, so not to worry. Larry is a trustworthy employee.
Sam is starting to feel vaguely uneasy. He stops by the office of Jill, who’s in charge of Privileged Access Management, and asks if she’s interacted with Larry today. Jill tells him that, in fact, Larry worked around her by using an SSH Key pair. Sam comments that this seems like a breach of protocol, but Jill assures him that this type of thing happens all the time. She mumbles something about how she’s never bothered to check for new SSH keys after vaulting all the SSH keys on her first day at the agency. She supposes she could continuously discover SSH keys, but that seems like a lot of work.
Foreboding is building as Sam finally sits down at his desk and turns on his computer. His login fails; he realizes he’s forgotten his password again. As if on cue, his phone rings. It’s Larry, who is coughing and sniffling. He apologizes for calling so late in the work day, but …
Sam chuckles, saying he was just about to call Larry to help retrieve his password. Larry tells him he can help Sam but recommends that, going forward, he use the same password for everything; that way, he’ll never forget it. In fact, Larry has written his password on his computer screen at work so anyone can use his account to reset forgotten passwords when he is not in the office.
The knot in Sam’s stomach tightens. “Wait – you’re not in the office?” Larry explains that he called to say he is sick and won’t be in today. “If you’re not here, then who is moving massive amounts of encrypted data out of the network?”
Larry can offer no explanation. It seems impossible that someone could have stolen the backdoor SSH key that bypasses PAM, which he keeps on his work computer – right next to his password.
What federal IT needs to know
The story doesn’t have to go this way. To write an alternate plotline, Sam must understand that there is no perimeter anymore, and an outsider can easily become an insider once perimeter security is breached. Every day, attackers find new ways to breach enterprise perimeter security through ransomware, malware or phishing through social engineering. A determined attacker can and will get in, so the security mechanisms you have in place to mitigate the damage will make the most difference.
Sam and his IT security team need to know these truths:
- Neither internal nor external networks can be trusted. All traffic should be inspected. Encryption renders any DLP, firewall or inspection useless.
- There are a variety of ways that attackers can get in the network, but the best way to spread an attack is through the theft of credentials like SSH keys.
- Network environments must be continuously monitored for new SSH key deployments. Not doing so can render any PAM system useless.
- The most efficient way to prevent credential theft is by using short-lived credentials, which eliminates the need for passwords or burdensome and intrusive PAM systems.
The role of Larry could be played by anyone with the technical know-how. By using legitimate credentials, he could lurk in a government system undetected and unimpeded, learning and waiting to strike. Federal IT systems have sensitive data whose loss could jeopardize the well-being of individuals, the citizenry in general or the national interests. This data is too important to not protect in every way possible, and managing privileged access cannot be overlooked.
John Walsh serves as director of product marketing at SSH Communications Security, where he is focused on raising industry awareness of risk and compliance issues of unmanaged credentials.