Today’s reading brought me to another article by Brian Krebs about his continuing research into the breach at Target. The lengthy article points to some newly uncovered clues, and provides some conjecture as to how the breach may have been exercised. A part of it definitely caught my eye, because it is closely related to some of the work we get called on to do on a regular basis.
That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base (sic) BMC Software — includes administrator-level user account called “Best1_user.”
It seems in this case, the attack vector may have been through this IT management software suite. Looking at BMC’s site, I looked at what seems to be the current version of that product, and one of the benefits listed is “Reduce administration time by up to 50% – freeing up staff for IT innovation.”
IT is Already Overwhelmed
It is no secret that the typical information technology organization is overloaded and overwhelmed. Scott Adams’ Dilbert comics poked fun at this decades ago, with Mordac, the Preventer of Information Services. A Canadian graduate school study uncovered that IT employees need help handling stress… in 2007. Follow that with seven straight years of increased technology demands, flat budgets, “work smarter, not harder”, and staff reductions, and you have created a recipe for disaster.
It’s hard enough for IT folks to get their day job done that automation tools have become a burgeoning market of their own. Gartner’s latest magic quadrant in this area lists 13 companies that generate at least $10M annual revenue from their automation tools. And in the wake of the Snowden affair, the NSA recently announced that it would begin the process of automating nearly 90 percent of its system administration duties.
Remain Ever Vigilant
System administration, by its very nature, requires administrative access to systems. Administrative access is what all attackers seek in order to take advantage of a system for their own purposes. So every IT automation tool that is used is essentially creating another potential opening into that system for attackers. The goal of information security professionals like me is to reduce the “attack surface” of a system, but tools like this increase it.
So, what to do?
The only possible path is vigilance, and unfortunately no solution will be perfect. However, my recommendations are as follows:
- Determine whether the increased risk to the system is worth the convenience of the IT automation tool.
- Assess the security of the IT automation tool or tools you are considering the use of, and allow security concerns to drive the purchase decision. If you aren’t convinced a tool can be secure, find a different one that can.
- Document the configuration and installation of the IT automation tool, in order to ensure it is installed in its most secure state. For example, configure it to only accept instructions that can be verified as having come from your organization.
If you have questions about how to assess the security of a piece of software, or need help figuring out the best or most secure configurations it offers, feel free to contact us.