Digital Version of November/December 2014 Print Edition
Guarding against emerging spear-phishing threats
During my service aboard U.S. Navy nuclear submarines, fellow crew members and I traveled the world’s oceans to protect against silent threats. Today, in my role as a security software professional, I'm committed to a different type of defense -- working with software designers who are charged with protecting the networks and highly sensitive data at U.S. Government agencies. We're on the front lines, if you will, of a fight against emerging and persistent cyber threats.
This year, IT security staff and contractors are increasingly on guard against the now pervasive tactic of "spear-phishing." In this type of targeted social engineering attack, hackers often use emails that masquerade as trusted information to fool recipients into revealing confidential data. Spear-phishing succeeds because, unlike other attack methodologies, its exploits focus on human interactions. And humans make mistakes.
Inside government agencies, these spear-phishing attacks often seek employee Common Access Card (CAC) credentials and powerful privileged account passwords. The attacks usually appear to originate from a legitimate source -- a member of the IT staff or a supervisor, for example -- duping an employee into revealing a password. From there, the hacker can use the stolen credentials to gain access to highly privileged resources, leapfrog from machine to machine, map the infrastructure, and steal private data.
Privileged accounts exist throughout virtually any IT infrastructure -- on major operating systems, business applications, databases, Web services and network appliances. They’re the accounts that hold elevated permission to access files, install and run programs, and change configuration settings. They include super user logins, service accounts and application-to-application passwords.
However, it’s a dirty secret of the IT world that privileged accounts are often surprisingly vulnerable. Passwords used to access these accounts may remain unchanged for months or even years, and are often common passwords shared among multiple people. That’s why if even one of these passwords can be exploited by a spear-phishing attack, the ramifications can be widespread, difficult to track and devastating.
As a case in point, consider last year’s cyber attack on the Canadian government. Canadian Prime Minister Stephen Harper released a brief statement confirming that the government encountered an “attempt to access” information by a foreign source. Government officials did not confirm where the attempt originated from, or what data may have been extracted, but reports emerged that the attacks were traced to servers in China and occurred through a spear-phishing exploit. Apparently, once the attackers gained access, they sent emails from the victims’ computers, requesting (and receiving) passwords to various servers.
This is the sort of attack that keeps all types of government agencies in the U.S. constantly on guard. It’s one of the most vivid examples of why privileged account passwords should never remain static or be shared among employees.
Mitigating the threat
Removing shared and static credentials from your network is not as daunting as it may seem. But first you must find them. Start with a comprehensive audit of your network to locate exactly where these privileged accounts exist. In a large government agency, there are typically thousands of such accounts, including stale accounts once used by former employees and contractors. Each account represents a potential point of vulnerability, so it’s crucial that they be identified and continuously tracked.
Once cataloged, you need to determine if each of these logins are unique and cryptographically complex. If not, that’s a potential security hole that must be closed. Start by delegating and tracking access to these accounts, ensuring that they’re available only to audited users, on a need to know basis, for a limited time. The important point is -- know who used them, when and for what purpose. This will not only discourage misuse of the account, it will provide an audit trail leading back to the precise cause of problems that may occur.
Finally, keep in mind that to be effective, this must be a continuous process of tracking and changing privileged passwords. That way, there are no static passwords residing on sticky notes, shared spreadsheets or in an employee’s head. And less chance of a crafty spear-phishing exploit gaining anonymous, peer-level access throughout the network.
Solutions exist that can automate the process of discovering, strengthening and auditing privileged account credentials so your IT staff can save time for more strategic projects. The choice of how to regain control is yours to make. But for the sake of your organization's private data, the time to act is now.
Derrick Dickey develops privileged identity management and security management solutions for Lieberman Software Corp. He can be reached at: