The Super User: Organizations' Biggest Internal Threat - Podcast TranscriptIntroduction
One of the most exploited and costly vulnerabilities on many server systems is the superuser account (â€œrootâ€ in UNIX and â€œAdministratorâ€ in Windows). Those with the superuser password can generally do whatever they want to, without restriction and often without adequate audit and tracking. Because of the unlimited power of this account,no file, device or command is off-limits. Even the auditing services on the system are not immune from this account, and the integrity of system audit logs is therefore vulnerable to inadvertent or malicious actions. The potential for damage, either inadvertent or intentional, is therefore very significant for users of this account and for organizations needing to meet regulatory compliance requirements.
The superuser is a privileged account that provides unrestricted access to the entire system: all commands and all files. Because the superuser has the potential to affect the security of the entire system, it is recommended that the â€œrootâ€ or â€œAdministratorâ€ password be given only to people who absolutely need it and the actions performed through the account be carefully tracked. Separation of privileges between administrators of differing job functions makes an operating system less vulnerable to inappropriate access. The lack of this separation in some operating systems has been cited as one major reason why those operating systems are less secure.
This issue is amplified when the superuser is not role-based and when a common password and user ID is shared among administrators and developers. This creates a serious accountability problem. This situation often makes it very difficult, if not impossible, to determine specifically which person performed a particular destructive act, since there is no authentication of superusers as individuals. While the superuser is the most blatant vulnerability, most large systems often have other accounts that have a wide range of system capabilities and a number of individual users who share those accounts without adequate differentiation. Instead of allowing â€œcatch-allâ€ accounts, a more secure approach is for each user to have exactly the privileges he or she needs for precisely as long as neededâ€”a model known as â€œleast privilege.â€ This requires a higher level of granularity of identification and access entitlements than is offered by native operating systems.
This document discusses the following questions:
â€¢ What is the superuser account?
â€¢ What are the security risks that the superuser introduces?
â€¢ What steps can organizations take to mitigate superuser threats?
David Kirkdorffer: What is the superuser?
Michael Liou: The superuser is an all-powerful administrative account, which is provided by native server operating systems. An analogy to describe the superuser is the scenario of having a PC repaired. Suppose there is a problem with a Windows laptop at work. The user calls the IT service technician, who comes to the userâ€™s office. The technician does not log in using the userâ€™s credentials; he or she logs in as the administrator. As such, the technician can perform almost any operation needed to fix the userâ€™s computer.
This relationship with the IT administrator is fairly trusted and it is fairly safe to assume that he or she would not do anything malicious. However, because he or she was logged into the userâ€™s computer as the administrator, there is nothing technically stopping him or her from accessing virtually any data on that computer. It could be sensitive sales information from the computer of the Vice President of Sales or it could be sensitive financial data from the computer of the Chief Financial Officer or the Controller.
In this situation, where IT is working in the userâ€™s office, there is some element of limited risk. Often, sensitive data is not stored on the individualâ€™s computer and often someone is watching the technician fix the computer. However, extrapolate that scenario to servers that house extensive stores of sensitive data. All these servers are touched by many different administrators, all operating somewhat behind the scenes.
There is a lack of accountability and the stakes are much higher. This is the situation we face with the superuser.
Kirkdorffer: How is the superuser account used in practice?
Liou: Think about the company that employs multiple people to keep the servers running. There are different kinds of administrators. For example, there is a systems administrator who performs general tasks such as maintaining server availability. There is the database administrator who maintains data integrity. Perhaps there is a security administrator or a security auditor.
Each of these roles requires a distinct set of permissions to perform their respective jobs. However, what is typically found in an organization is that people in different roles commonly log in as the superuser. As the superuser, they have any permission they might need to perform their job function, but they also have additional access that is unnecessary. While it is understandable why that is convenient for business operations, it exposes the organization to many potential security risks.
Kirkdorffer: Why is the superuser issue relevant today and was not in the past?
Liou: Actually, the superuser issue has been relevant for some time now. Over the past decade, or even beyond, organizations have recognized that the native operating system on both mainframe and distributed systems lacks sufficient access controls. In 2002, the Sarbanes-Oxley Act heightened awareness of this issue as well as many of the general identity and access management issues. Today, there are new regulations such s the Payment Card Industry Data Security Standard.
The PCI Standard was set forth for retailers to help protect consumer credit card information. There are also international regulations following in the footsteps of the Sarbanes-Oxley Act, such as the Japanese version (J-SOX) and laws like the Gramm-Leach-Bliley Act, which has global implications for the financial sector. All these continue to drive awareness about superuser protection.
Protecting Against the Superuser Threat
Kirkdorffer: How can an organization today protect against this superuser account?
Liou: Many organizations are using external access control solutions, which essentially provide an additional layer of protection to manage access to serverbased resources. There are two aspects to protecting against the superuser. The first is proactively limiting each user to only the permissions needed to effectively perform his or her job function. This is commonly referred to as segregation of duties. The second element is effectively proving who has done what. One of the big dangers of a shared superuser account is the anonymity of those who are using it or sharing it. For example, if dozens of people were logging into the same servers using common superuser account credentials, audit trails tracing violations back to the superuser account would be useless. A good access control solution will trace actions back to the original user ID, not just to the superuser account.
Kirkdorffer: You want to be able to know exactly who has done what, when, and where?
Kirkdorffer: Does CA have a solution to meet this need?
Liou: CA has an effective solution called CA Access Control. In short, CA Access Control enforces who is able to access what and then provides granular audit trails to prove this appropriate access.
Kirkdorffer: What are some of the less obvious considerations for a company as they are protecting against the superuser account?
Liou: That is a good question because many of the things discussed so far examined a single server in isolation. There are other considerations for overall server security. First, most solutions that manage access rights do this through a series of security policies. For organizations with dozens or even hundreds or thousands of servers, a large number of security policies are created over time. When looking for a solution, look for one that allows the organization to efficiently manage these policies centrally across all servers and even to reuse common policies across similar servers. Some other elements to consider are the ability to group common policies together for easier deployment and the ability to run reports that show policy deviation over time.
Secondly, most server infrastructures include a variety of different kinds of operating systems, from Windows to UNIX and Linux systems to virtualized operating systems. Looking at solutions, choose one that can accommodate this breadth of platform support. In todayâ€™s networked environment, it is particularly applicable that the overall security infrastructure is only as strong as the weakest link. The goal is to bring collective security up to a consistent and elevated level.
Kirkdorffer: Do you have any final considerations regarding access control?
Liou: The superuser issue is as relevant today as it ever has been. Old compliance regulations are still in effect and new ones are being created continuously. From a best practices standpoint, the first step is to identify those mission-critical servers that store PCI data, HIPAA, or other sensitive data. Protect those first. Host access control solutions do not have to be an all-ornothing implementation. Start with the most vulnerable servers and expand. Finally, consider how the access control solution fits in with the rest of the identity and access management deployment. It is important to leverage the synergies between solutions, whether that is using the identity management provisioning system to provision the access control administrators or using the access audit data to run reports that identify potential future security threats. The best thing is that, once the superuser threat is recognized, actions can be taken to protect against it.