26
March 2015
GCHQ - Privileged Account Abuse
Andy Harris
Much of the talk in IT security circles over the past week has been centred around new guidance for businesses from the UK’s spy agency. Sensationalist news reports told us that GCHQ has been telling firms to consider stripping employees of their mobile devices to avoid cyber attack. But between the attention-grabbing headlines and the indignant fury of industry rent-a-quotes was a very important warning from GCHQ:
“Dissatisfied users may try to abuse their system level privileges or coerce other users, to gain access to information or systems to which they are not authorised.” We couldn’t agree more. Attacks on privileged accounts, whether from “dissatisfied users” or external actors, represent among the most under-reported but potentially damaging forms of cyber intrusion facing organisations today.
If you read the report critically, what CESG – the information assurance arm of GCHQ – is actually recommending in its “10 Steps to Cyber Security” is actually pretty good advice. It’s obviously down to an individual organisation whether they act on this advice, and that will depend on their risk profile and whether doing so might affect staff productivity, business agility and so on.
The reports main recommendations appear to be:
GCHQ is also right to warn that employees are the “weakest link in the security chain”. But we’d go one further. It’s IT staff and those with privileged accounts that are potentially the weakest link. As rightly mentioned by the intelligence agency, system level privileges are wide open to abuse.
But arguably more dangerous than the insider threat is the increasing frequency with which they’re being targeted by outsider groups. Think about it. If you’re a cyber criminal or a state-sponsored operative and you want to infiltrate a specific targeted organisation to retrieve sensitive data, where’s the best place to focus your efforts? On the temporary receptionist who might fall for your spear phishing email but only give you low-privileged access? Or on the IT admin who will give you the keys to the kingdom first time round?
It might take the attacker more time to research their spear phishing strategy to make sure it’s convincing, and to do some reconnaissance so they get the IT guy with the required set of account access rights – but it’ll be worth it. This is a step up from your average targeted attack – a quick, effective cyber sniper shot which stands a much better chance of evading detection. And social media and specialist forums provide the perfect reconnaissance tools for the clued up hacker.
It’s not easy to mitigate against this kind of attack but here are some initial tips: