As investment advisers and broker-dealers consider sophisticated and costly monitoring tools as a panacea for IT Security, we still find a regular need for fundamental information practices, which could have a much greater impact on preventing and controlling breach. The good news for businesses, whether you consider the firm to be small or an enterprise, is that several basic controls remain cost-effective and, in many cases, free.
In gaining an understanding of your IT environment, one thing the CCO can take charge of is the battle lines of administrative access and ownership of critical systems and services.
There is a ridiculous amount of terminology around IT Security and the C-word, Cybersecurity. Some terms should be a regular part of the lexicon and, in thinking about administrative access and ownership, the concept “Attack Surface” strikes me as most applicable.
You should know that the end-goal of the serious attacker is administrative control of your environment. In the case of the Microsoft Windows environment, which is most prevalent among our client-base, gaining Domain Administrative Rights, permitting access and control across the entire environment and all systems/servers, is the Holy Grail.
There are many ways that administrative control can be achieved, but Chief Compliance Officers should be familiar with the basic path and steps for which all attackers and pen-testers are angling. If you know these simple steps, you can think about layered security and how to disrupt the attack. You will also have a better understanding of a penetration tester’s methodology.
- Malware Injection – the phishing email, removable media attack, web exploit, or other method striving for the giveup of credentials or toe-hold in a single system.
- Reconnaissance/Footprinting – once established, mapping the system and connected network resources.
- Credential Theft and Privilege Escalation – the process of capturing additional credentials and elevating access to broader rights such as administrative control.
- Accessing Data and Exfiltration – elevated administrative rights will likely permit access to some critical data which can then be removed from the environment.
- Retaining Access – several high-profile attacks have involved an attacker maintaining a low-profile system and network presence which permits long-term exploration and exfiltration.
Unfortunately, achieving system access through the give-up of credentials is considered easy as a certain percentage of spear-phished employees will roll over. This is obviously where compensating controls like training and two-factor authentication (“2FA”) may help you out. Assuming that an attacker has gained access, however, you want to do everything you can to prevent privilege escalation and their ability to pivot across systems and the network.
Here are some of the steps and issues you may wish to consider:
Strictly Control Domain Admin and Other Forms of High-Level Access. This means knowing who has such privileged access and periodically validating these users. There is no need for multiple persons, beyond reasonable redundancy for business continuity purposes, to have the keys to the kingdom. Ask your internal head of IT or your primary IT Consultant for strict accountability and validation on this point.
Domain Admin is the highest tier of Ownership in the Windows/Active Directory environment, so, it almost goes without saying that, access practices, password complexity, and remote access should all occur with enhanced security controls which are regularly reviewed. Typical, eight-character complex passwords required for standard users are not sufficient here or for other high-level admins.
Active Directory (AD) Administrators and Owners Can Also be Fenced Off. Most of the time, Domain Administrators will also be the persons making regular changes within Active Directory, but not always. It is amazing that the characteristics of many financial services firms’ environments are controlled by Active Directory, and Compliance hasn’t really dug into this with both hands. Silos still exist in the cases of some of these high-level IT processes, but Compliance clearly needs validation regarding Active Directory process. Who are the Owners of Active Directory? What are their access/authorization controls?
Applications (Internal and Cloud-Based) Should Also Have Owners With Enhanced Security Controls. An application “owner” or “owners” are the person or people who are responsible for internal applications and servers. In addition to clear policies regarding access controls, these owners should also have awareness of the connectivity of those systems and patching protocols. Is it necessary for those systems and applications to be connected across the network or can critical servers and applications be isolated? Isolation can mean a lot of different things, but do all critical systems need to be online, can they be placed on separate networks or subnets?
Security of critical cloud-based applications is improving all of the time, especially for vendors to financial services firms. Who are the Owners of your cloud-based applications? Do they understand clearly security components of User Administration and security dashboards? If client or important data is in the mix, are these owners using strong, complex passwords and 2FA wherever feasible? Remember that, unlike your internal applications, many cloud-based services can be accessed from any browser and perhaps from vulnerable systems.
Consider Segmenting Processes in Addition to Segregation of Users. Group permission and individual user participation are common discussion points and well-understood security notions. In addition to understanding your Domain admins and AD owners, we are all familiar with the concepts of least-privileged Users and access on an as-needed basis only. The CISO and the CCO should also be thinking about single network segments or local area networks (“LANs”) containing all critical resources. Is it really necessary for your Sales and Marketing personnel to be on the same network as your Portfolio Managers or Client Services Team? While there is some work involved, it is possible to create separate, protected networks for different users, and systems as mentioned above. Have a discussion with your internal IT personnel or your Vendor about segmentation.
Managing Vendor Administrative Access. Vendors, who may be performing maintenance, upgrading infrastructure, or adding systems and services may require some form of elevated access. The key with Vendors who are not part of your organization or your primary IT consultants, is managing, monitoring, and revoking this access. I also like the idea of forcing 2FA on vendors who may not have the greatest security and password controls in place themselves.
Conclusion: There are other circumstances where administrative access may need to be provided to certain users such as a business continuity or emergency scenario. The key, just like other forms of privileged access, is managing this process. Controlling administrative access is very much about managing and reducing the attack surface. Keeping close tabs and validated lists of your admins and owners will help you understand and control the environment. This type of validation is well within the grasp of the Chief Compliance Officer who is a key player in the IT environment.
Unfortunately and as we have written in the past, security and convenience do not go hand-in-hand. In fact, sometimes they are diametrically opposed. Make sure administrators also have and maintain separate user accounts for normal or non-administrative tasks.