Making Things Easy is Hard

Posted on by Peter Hesse

Today’s reading brought me to another article by Brian Krebs about his continuing research into the breach at Target. The lengthy article points to some newly uncovered clues, and provides some conjecture as to how the breach may have been exercised. A part of it definitely caught my eye, because it is closely related to some of the work we get called on to do on a regular basis.

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base (sic) BMC Software — includes administrator-level user account called “Best1_user.”

an easy button that reads "not easy at all"

It seems in this case, the attack vector may have been through this IT management software suite. Looking at BMC’s site, I looked at what seems to be the current version of that product, and one of the benefits listed is “Reduce administration time by up to 50% – freeing up staff for IT innovation.”

IT is Already Overwhelmed

It is no secret that the typical information technology organization is overloaded and overwhelmed. Scott Adams’ Dilbert comics poked fun at this decades ago, with Mordac, the Preventer of Information Services. A Canadian graduate school study uncovered that IT employees need help handling stress… in 2007. Follow that with seven straight years of increased technology demands, flat budgets, “work smarter, not harder”, and staff reductions, and you have created a recipe for disaster.

It’s hard enough for IT folks to get their day job done that automation tools have become a burgeoning market of their own. Gartner’s latest magic quadrant in this area lists 13 companies that generate at least $10M annual revenue from their automation tools. And in the wake of the Snowden affair, the NSA recently announced that it would begin the process of automating nearly 90 percent of its system administration duties.

Remain Ever Vigilant

System administration, by its very nature, requires administrative access to systems. Administrative access is what all attackers seek in order to take advantage of a system for their own purposes. So every IT automation tool that is used is essentially creating another potential opening into that system for attackers. The goal of information security professionals like me is to reduce the “attack surface” of a system, but tools like this increase it.

So, what to do?

The only possible path is vigilance, and unfortunately no solution will be perfect. However, my recommendations are as follows:

  1. Determine whether the increased risk to the system is worth the convenience of the IT automation tool.
  2. Assess the security of the IT automation tool or tools you are considering the use of, and allow security concerns to drive the purchase decision. If you aren’t convinced a tool can be secure, find a different one that can.
  3. Document the configuration and installation of the IT automation tool, in order to ensure it is installed in its most secure state. For example, configure it to only accept instructions that can be verified as having come from your organization.

If you have questions about how to assess the security of a piece of software, or need help figuring out the best or most secure configurations it offers, feel free to contact us.

6 thoughts on “Making Things Easy is Hard

  1. markstouse says:
    January 31, 2014 at 10:07 am

    BMC Software Comments on Speculation Concerning the Target Breach

    HOUSTON, January 30, 2014 – BMC Software today issued the following statement regarding the speculation in the press concerning the Target data breach:

    There have been several articles in the press speculating about the Target breach. BMC Software has received no information from Target or the investigators regarding the breach. In some of those articles, BMC products were mentioned in two different ways.

    The first was a mention of a “bladelogic.exe” reference in the attack. The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software. McAfee has issued a security advisory stating that: “The reference to “bladelogic” is a method of obfuscation. The malware does not compromise, or integrate with, any BMC products in any way.

    The second reference was to a password that was possibly utilized as part of the attack, with the implication that it was a BMC password. BMC has confirmed that the password mentioned in the press is not a BMC-generated password.

    At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack.

    Malware is a problem for all IT environments. BMC asks all of our customers to be diligent in ensuring that their environments are secure and protected.

    ###

    BMC Software. IT Innovation Drives Business Transformation.
    For more than 30 years, BMC has helped thousands of companies around the world master IT complexity. From mainframe to cloud to mobile, from the back room to the boardroom, BMC delivers the automation, integration, and sophistication that enable the business and IT to perform like never before. To learn more, visit bmc.com.
    BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. © Copyright 2013 BMC Software, Inc.

    Editorial contact
    Mark Stouse
    BMC Software mobile 281.468.1608
    mark_stouse@bmc.com

Comments are closed.