September 27, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch all the things!
The AAA Protocols: Authentication, Authorization & Accounting
The Uber hack last week has many lessons learned in it (frankly I could write a whole month's worth of newsletters from this one incident!) but I'm going to focus on one fact this week: once the attacker was in Uber's internal network, “a single hard coded password has been used to access [Uber’s] privileged access management system, giving access to any area of the IT environment that links to it.” This reminded me of a topic I last disscussed a couple of years ago, when CISA released the fourth in their series of Cyber Essentials Toolkits:
This toolkit chapter focuses on the use of access lists and authentication tools to appropriately limit user access on your network. Organizations can provide a secure digital workplace by controlling who has access to the network and applications.
As I was thinking about how to break this down for you (since it’s a really important concept!), I remembered the AAA Protocols. Wikipedia defines the AAA Protocols as “a family of protocols that mediate network access.” They are:
Let’s talk about each in turn.
Authentication: Who are you? This is the most basic step in determining whether this person, device or process should have network access. Who are you? How do I know that you are who you say you are? For users on a network, authentication is most often accomplished by typing in a user name and a password. In some networks, there may be a second factor of authentication (a USB device, a token that generates a one-time code, or a magnetic card). These are great additions to your network security (you know how I feel about 2FA!) and it’s a requirement for DFARS compliance.
Authorization: Are you allowed here? I usually explain this in terms of bookkeeping software, because every business has it and people generally understand the concept of restricting access to financial data. So I’m guessing your payroll clerk can’t make GL entries or run financial statements. You’ve restricted her access. That’s good. What about the accounts receivable clerk, can she see payroll reports? Does the guy who only generates purchase orders need access to the payables report? The payables clerk does nothing but enter invoices, not pay them – can he/she print checks?
These principles apply to network access also. For example, does the shop foreman need a login on the server that holds the bookkeeping software? What about the marketing director? They probably need a login to the file server, email, maybe group calendar … but if they don’t need to access the bookkeeping software at all, then their network logins shouldn’t give them access to it.
Accounting: What are you doing here? The first two of the AAA Protocols fall under the “Protect” core function of the NIST CSF, while the third falls under the “Detect” core function. You’ve heard it said “It’s no longer a matter of whether you are attacked, it’s when” and sadly this is true. A strong Accounting protocol will help you detect an attack, and also determine exactly what happened (so you can plug that hole and mitigate the damage).
You’ve probably read stories of organizations infected with ransomware, and they often say “but no data was stolen.” How do they know this? Without proper Accounting, i.e., being able to trace activity across the network, it’s impossible to say whether or not data was stolen (or worse, tampered with).
This is also why it’s important to have unique login credentials for every user, device and process on the network. If everyone in the sales department logs in as “sales” then it can be difficult to track down the origin of an attack using those credentials.
It’s not Just Users – It’s Devices & Processes Too
Devices. Last year, NASA’s Jet Propulsion Laboratory was hacked (and data stolen) because an employee put an unauthorized device on the network, and it was not properly secured. Do you have a policy that employees cannot buy and install their own hardware on the office network?
Processes. Backups are good, right? If you are doing them yourself, and keeping track of them, and who has access. What about Google Drive Sync and Apple’s Time Machine? Do you have policies prohibiting employees from using/installing these backup applications on office computers? Last year a City of Baltimore employee was fired after “hacking tools” (used by both white and black hats) were found on his office computer. But here’s the twist:
some of the material on his computer had inadvertently been synced from his Google cloud storage
What if company data was synced up to the Google cloud and then to the employee's home computer? What If some of the files synced included malware? Rogue processes on your network can be a backdoor. All processes need to be managed with the AAA Protocols, along with devices and users.
Whew! I think that's enough for this week! I'll put this in perspective of the Uber hack and maybe talk about that some more next time.
Talk to you again soon!