Privileged Account Abuse, Not Smartphone ‘Bans’ The GCHQ Story

Much of the talk in IT security circles over the past week has been centred around new guidance for businesses from the UK’s spy agency. Sensationalist news reports told us that GCHQ has been telling firms to consider stripping employees of their mobile devices to avoid cyber attack. But between the attention-grabbing headlines and the indignant fury of industry rent-a-quotes was a very important warning from GCHQ:

“Dissatisfied users may try to abuse their system level privileges or coerce other users, to gain access to information or systems to which they are not authorised.” We couldn’t agree more. Attacks on privileged accounts, whether from “dissatisfied users” or external actors, represent among the most under-reported but potentially damaging forms of cyber intrusion facing organisations today.

Best practice

If you read the report critically, what CESG – the information assurance arm of GCHQ – is actually recommending in its “10 Steps to Cyber Security” is actually pretty good advice. It’s obviously down to an individual organisation whether they act on this advice, and that will depend on their risk profile and whether doing so might affect staff productivity, business agility and so on.

The reports main recommendations appear to be:

• Staff should only use trusted Wi-Fi connections when out and about
• Firms should monitor all user activity and inform staff that any abuse of corporate security policies will result in disciplinary action
• Staff should beware of shoulder surfers when outside, especially from those looking to spot their user log-ins.
• Firms should assess “business requirements” for staff access to “input/output devices and removable media” like smartphones and MP3

The weakest link

GCHQ is also right to warn that employees are the “weakest link in the security chain”. But we’d go one further. It’s IT staff and those with privileged accounts that are potentially the weakest link. As rightly mentioned by the intelligence agency, system level privileges are wide open to abuse.

But arguably more dangerous than the insider threat is the increasing frequency with which they’re being targeted by outsider groups. Think about it. If you’re a cyber criminal or a state-sponsored operative and you want to infiltrate a specific targeted organisation to retrieve sensitive data, where’s the best place to focus your efforts? On the temporary receptionist who might fall for your spear phishing email but only give you low-privileged access? Or on the IT admin who will give you the keys to the kingdom first time round?

It might take the attacker more time to research their spear phishing strategy to make sure it’s convincing, and to do some reconnaissance so they get the IT guy with the required set of account access rights – but it’ll be worth it. This is a step up from your average targeted attack – a quick, effective cyber sniper shot which stands a much better chance of evading detection. And social media and specialist forums provide the perfect reconnaissance tools for the clued up hacker.

Fighting back

It’s not easy to mitigate against this kind of attack but here are some initial tips:

• Always operate company-wide principle of least privileged account access
• Install systems to gain greater visibility into user behaviour – so you know when something is abnormal
• Invest in systems like Osirium Privileged Access Management which allow IT staff to log-on in a secure and automated manner without passwords. If there are no passwords to steal, the attacker can’t get in.

‍