Federal Employee Database Breach: Weak Remote Admin Access?
From an MSP’s perspective, the most disturbing thing about the data breach story du jour – the one in which 4 million records of current and former federal employees were compromised – is the paragraph on page A18 of the New York Times. That’s the one that goes, “The intrusion came before personnel office fully put into place a series of new security procedures that restricted remote access for administrators of the network and reviewed all connections to the outside world through the Internet.”
Could such a fact have a chilling effect on your remote-management proposals? If the federal Office of Personnel Management can’t properly gate remote network admins, your customers and prospects might think, what chance do they have with you? I asked Chester Wisniewski, senior advisor at security vendor Sophos, if there are any lessons here for MSPs who remote into their clients’ networks.
“Absolutely. We’ve seen mistakes made in the past by MSPs that are similar to this that have led to breaches,” says Wisniewski. “For example, with payment processing, where they would have a shared password across a hundred different chain restaurants that they manage, because it was inconvenient to have some sort of database to look up how to access all these different clients. Also, when you’re an MSP, you don’t know where your staff is going to need to manage things from. There’s often no kind of restriction in place that says, ‘Perhaps a log-in from China into this system is inappropriate, whereas a log-in from Dubuque is.'”
Adallom, a “cloud access security broker,” discusses the risks of admin account proliferation in its Cloud Risk Report of Nov. 14. While “zombie” user accounts — those of employees long gone, or simply unused — pose a hijack threat, zombie admin accounts, with their broader access privileges, are clearly much deadlier. That’s why they “are the preferred and most targeted attack vector for threat actors.” Within its customer community, Adallom finds that SaaS giant Salesforce averages seven admin accounts per 100 users.
Wisniewski says that administrators logging into government databases probably should be logging in from a government-owned network, or at least geographically within the United States, because those are simple restrictions you can put in place. He adds that for remote administrators, two-factor authentication should be a requirement. (Although Adallom’s report points out that the right malware can overcome this.)
“You may not want to implement something that complicated for everyday users to get their email or the services you’re providing as an MSP,” he says. “But certainly the ones that control the mother ship, the administrative users, need to have much tighter controls. That’s how you end up losing not just one person’s information, but conceptually, your whole client base. That’s a business-ending event.”
And although he doesn’t know the details of this breach – “if I did I couldn’t talk to you” – Wisniewski strongly suspects that …
… the federal government’s slow reaction time played a part in this breach.
“From my experience, the wheels of bureaucracy move very slowly in the federal government. It takes a lot longer to take action on these things,” he said. “Not to mention you’ve got to convince Congress to give you budget.”
He points out, as the Times story does, that the NSA is still struggling with data security, years after the Edward Snowden debacle.
Wisniewski adds that private-sector organizations have a “much easier time” reacting to the fast pace of change in IT security.
“We’re seeing the private sector just getting to a point now when they’re starting to get a good enough grasp of cyber security so that we’ll hopefully stop hearing these doomsday stories about credit card and health records. You know it’ll take a lot longer, unfortunately, for all the federal agents to bring their standards up to an equivalent.”
How can MSPs reassure their clients in the face of these stories?
“That’s a tough issue, because the clients hire you precisely because they’re not experts. You can’t just publish a bunch of technojargon about two-factor authentication, because they want to offload the responsibility for worrying about this onto you.”
At the same time, Adallom notes that IT professionals and MSPs in particular have to educate their clients to accept some responsibility; lack of discipline will foil the toughest security measures.
A good way to build confidence, says Wisniewski – “depending on how much money you have” – is to go through an independent, third-part security audit once or twice a year. At the top of the scale, these are performed by the Ernst & Youngs and Accentures. At a more common level, for say, a payment processing service provider, there are companies like Trustwave. While Wisniewski admits that MSPs rarely take such a step, he suggests that successful passage of such audits would make a very effective differentiator.
