- Major Studies
Although IT professionals usually adhere to strict security guidelines with the complex development, implementation, and management aspects of their jobs, they sometimes drop their guard in relation to security with some of the more mundane job duties such as data center procedures. The challenge is that these procedures are generally unsophisticated to implement, yet can be very complex to secure. This article highlights the security weaknesses that can be created by such administrative procedures and outlines common sense management practices that can close such back door vulnerabilities.
Eliminating back door vulnerabilities is becoming an important goal for the security program. Cyber-criminals have begun to target specific organizations for financial gain, and they are actively searching for ways to gain access to financial and personal information contained in corporate systems. Furthermore, governmental regulations such as Sarbanes-Oxley and HIPAA require that organizations establish strong internal controls to mitigate the risk of information theft.
Maintenance Procedures That Can Create Back Door Vulnerabilities
There are many data center procedures regularly developed by the technical staff that can inadvertently introduce security vulnerabilities. For example:
These vulnerabilities are introduced because of the following common practices:
The technical staff often considers these vulnerabilities as a necessary risk in managing the infrastructure. Because of their strong technical skills, personnel may feel confident that they have any risks associated with these procedures well under control. However, the technical staff can be lulled into a false sense of security regarding its ability to track and manage all of the back door vulnerabilities that they have introduced over time.
Example: Tape Backup
A tape backup provides a good example of how a data center procedure can be implemented in a manner that creates a significant back door vulnerability. IT staff often place tape backup procedures into production with little formal control. They install and configure the software to execute the backup and enter a task into the schedule to perform the backup at required intervals.
What can make this scenario potentially disastrous is that the execution of the tape backup will almost always require escalated system privileges. Thus, the backup will execute in privileged mode often at the OS, network, data repository, and application system levels. In most environments, if a malicious individual can penetrate the tape backup infrastructure, he will gain access to the organization’s most sensitive data.
In addition to the risk of outsiders taking advantage of back door vulnerabilities, the possibility cannot be overlooked that many security incidents are the work of insiders. Some of the system management personnel who enjoy high system access rights and work on internal procedures may consider themselves above the security rules and regulations that the general IT populace must follow. While most system administrators would never intentionally compromise the infrastructure, there are always a few bad apples and sometimes they are malicious.
Computer Economics research reveals that security risks from insiders continue to pose a threat. According to our recently released 2006 IT Security Study, a high percentage of security breaches are directly attributable to employees, contractors, and other insiders that have access within the firewall. Figure 1 illustrates that, at a minimum, 20% of all security breaches happen inside the firewall, and the total may be as high as 35%. While it is not being suggested that technical personnel are responsible for a significant number of those breaches, their special access rights do make it important to pay attention to the procedures that they follow on a daily basis. It is also important to recognize that these same individuals usually have access to the systems that are designed to detect malicious activity, which would allow them to delete log files, for example.
Another key problem is that most IT organizations are understaffed and overworked, yet they are still expected to deliver up-time as high as 99.999%. This statistic has a powerful message: virtual perfection is expected. The pace that these technicians must maintain creates the need to work faster and to focus on items that provide measurable benefits to the business. Internal data center procedures such as backups, logging, and monitoring do not fit into this category. Personnel are required to implement numerous detective controls, such as logging and monitoring, but they might not secure the systems that aggregate the collected logs, for example. This does not suggest a lack of concern or a malicious intent – they just do not have the time to develop adequate processes and procedures.
The larger and more complex the environment, the greater the incentive is for system administrators to create technical shortcuts. These shortcuts often take their toll on support procedures in the form of redundant passwords across multiple systems, excessive access rights that violate the “least privilege” rule of thumb, and the proliferation of ad hoc processes and procedures, including duplicate and outdated versions. When all of these elements are combined, the overall security of the system can become seriously compromised.
How to Minimize Back Door Vulnerabilities
What must you do to ensure that there are not significant back door vulnerabilities in your data center? Computer Economics recommends the following actions as principles for minimizing security risks in data center procedures.
Organizations with significant back door security vulnerabilities, as discussed in this article, have numerous avenues for unauthorized access and abuse. While the management practices outlined above are relatively inexpensive and easy to implement, they do require regular enforcement and a strong commitment on the part of management to provide oversight and, if required, disciplinary action.
This article was written by Contributing Research Analysts Ron Collette, CISSP and Mike Gentile, CISSP. They are authors of The CISO Handbook: A Practical Guide to Securing Your Company, published by Auerbach. For more information, please visit http://www.cisohandbook.com.
For more complete analysis of current trends IT security spending, staffing, technology, and management best practices, please refer to the Computer Economics IT Security Study.