A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 9: The keys to the kingdom
“Anyone who is capable of getting themselves made President should on no account be allowed to do the job.”
Douglas Adams, A Hitchhiker’s Guide to the Galaxy
[ Reading time: 11 minutes ]
The IT Crowd
In Episode 2 (Know thyself), I talked about the essential importance of using multi factor authentication (MFA) to protect against password compromises, and the high value targets that attackers pursue—Finance, HR, MIS, and executive teams.
And of course, the IT Crowd. Your IT admins.
They are always major targets, because they hold the keys to the kingdom.
An IT user with “domain administrator” permissions can override all other controls without difficulty, and if one of these accounts is compromised, your organisation is in serious trouble.
Hackers talk about gaining “domain admin”… if they achieve that, it’s game over. You’re totally compromised.
Reduced to tiers
There’s a well established model for how the IT team should manage the extra privileges they need to do the job. And the idea is very simple.
Use the right tools for the job. No more, and no less. It’s the principle of least privilege in action. We call it “tiered administration”.
Here’s how it goes.
Most people in your organisation have a single login account which they use to do their work. For the IT Crowd, they have multiple accounts, depending on what job they are doing. At a minimum, it’s one login for day to day work, like emails, web browsing, documentation and other routine administrative tasks. And a separate login for the technical administration tasks that require special privileges. When it’s fully implemented, each person in the IT team might have as many as 4 or more accounts with differing levels of permission (or tiers) according to the task being undertaken. Never mind the myriad accounts for websites and other online tools and services which are part and parcel of the job.
Managing all those accounts can be a challenge. 4 usernames and passwords? Which account goes with which task? Sounds like a recipe for trouble.
There are a few techniques to help with this which you should be enforcing.
First up is to use a reputable password manager. For 2 reasons.
- If those accounts are going to be secure, they all need to have different passwords, and those passwords need to be long and strong to protect those privileged accounts from compromise.
- Don’t expect your IT team to have to remember 4 usernames with different, long, strong passwords, let alone type them in. They need to work efficiently as well as securely.
So, a reputable password manager is essential for this team to do its work. (Look back at Episode 3: Knock, knock, who’s there? for more about password management.)
Second, is to lock things down so they can’t make a mistake using the wrong account for a task. A simple example of this is blocking internet access for privileged IT accounts, which prevents the chance of a malicious website installing and running some malware on a server which could have devastating consequences. Or not having email addresses for IT administration accounts, which removes the threat from phishing emails.
Third, have your IT team use separate workstations for day to day work and IT administration. This eliminates the scope for any compromise to a lower privilege account affecting a higher privilege account. In the past, that required 2 separate computers; today, it can be achieved effectively using virtual desktops on a single computer.
Tiering works most effectively when it is applied to all three of these: IT admin account, tasks, and workstations.
Tier 1 tasks might be managing standard desktops and laptops. Tier 2 might be servers, while Tier 3 might be critical servers like domain controllers. You have separate IT accounts and workstations set up to manage each of these, and put controls in place to prevent any access to a Tier 3 domain controller from an account or workstation which isn’t in that Tier.
Unfortunately, for traditional systems which are “on premises” (i.e. servers in a server room) it doesn’t come set up like that out of the box, and setting it up requires some effort.
In our Cyber Security Assessments, we generally find that most IT teams have a limited form of tiering in place, and provide advice and guidance on how to develop this further.
Reach for the cloud
The same tiering principle applies to managing services in the cloud. For example, with MS365 IT administrators should have separate accounts for administration and day to day use of services like OneDrive or Outlook.
Many cloud-based systems, including MS365 (P2/E5/A5 licensing only), come with Privileged Identity Management (PIM) and Privileged Access Management (PAM). These tools allow you to control access for managing services on an “as and when required” basis, by having these requests authorised and time-limited, with notification when privileges are activated, with access reviews and an audit trail.
That means that the separate cloud admin accounts shouldn’t have any permissions associated with them until required, which dramatically reduces the scope for compromise.
Note that these tools are not enabled by default, and you’ll need to configure them for use.
When the proverbial hits the fan
Security people are always thinking about the “what if” scenarios. One of these is what happens if you have a major incident which compromises your IT administrator accounts and locks you out of your network and systems. It’s not at all beyond the realms of possibility, and it’s a bad day, for sure. One you want to plan for.
There’s no silver bullet solution, but what you can do is make sure that you can still access as many of your systems as possible even if others are not available. That means having some “break glass” or emergency accounts in reserve.
These accounts are completely separate from the other IT administration accounts, set up as “local” accounts for each system (rather than “domain accounts”), with long, strong, random passwords.
These account details should be kept entirely separate from the IT team, for example, in a safe in the Principal’s office. Better still, split each password in half and put half with the Principal and the other half with the Finance Director…
What about multi factor authentication? Well, you don’t want to tie it down to a phone belonging to an individual who may have left the organisation, or who may be unavailable for any other reason. Best practice is to use a “hardware token” (it’s like a USB stick that does MFA).
Once you’ve set up the emergency account to use the token for MFA, you can put the token in the safe with the emergency credentials.
Guarding the guardians
The other big “what if” is what if one of the team goes rogue and misuses the privileges they have access to.
This is a challenge to manage for all roles with privileges—even (dare I say) the Principal and Finance Director—but the checks and balances are perhaps less well developed for IT administrators because the scope of what can go wrong is less well understood.
You have 3 main controls to apply.
The first is a process control. Make sure to have deputisation and oversight in place—don’t have any single person who holds all the keys. If you only have a single person administering a system or service, that’s not only a single point of failure which exposes a vulnerability if they are absent for any reason, but also means that no-one else knows what they are up to. So, split the responsibilities for key systems and services amongst colleagues, and ensure that these have someone else assigned to deputise, who knows enough about how the system works to be able to carry on the work if needed, and can spot if things aren’t being done right.
The second measures are technical controls. Have alerting and monitoring systems in place. These will send an email out whenever an administrator password changes or privileged permissions are added or removed from a user account. That makes it harder for someone to act with impunity. Some systems have “quorum authorisation” for high privilege tasks which requires an additional administrator to approve a change. It’s similar to the separation of duties in financial control, or requiring multiple signatories for a transaction.
The third measure is a policy control. Have a code of conduct which outlines the professional standards and responsibilities expected of privileged account holders, along with the sanctions for misuse. This applies not just to the IT team but to anyone in the organisation who has access to critical or sensitive systems or data—that means your Finance, HR, MIS and Estates teams, and—you guessed it—the executive leadership team. Ensure it is signed off annually by each person, so that the standards become embedded in working practice.
A Final [Deep] Thought
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at event auditing and logging – the unsung hero of the cyber security world. “It’s the log that counts.”
For now, you can take useful steps forward by reviewing the process, technical and policy controls for your organisation’s privileged account holders. Are the accounts properly secured with strong passwords and MFA? Do you have tiering in place with separate accounts for privileged tasks? Do you have secure administration in place for your cloud services? Do you have emergency accounts set up and stored safely? Do you have deputization and oversight in place? Do you have alerting mechanisms or quorum authorisation for key changes? Do you have a code of conduct for all holders of accounts with privileged access?
James Bisset is a Cyber Security Specialist at Jisc. He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, and is a member of the GIAC Advisory Board.