Alternative hypothesis
The collective heads of Sony Pictures are as stupid, selfish, short-sighted and negligent as you think they are.
(Just thinkin' out loud...)
Hackers obtained system administrators' passwords to pull of the mega-hack against Sony Pictures' servers, according to reports. This will come as no surprise to IT professionals. Purloined administrator credentials gave miscreants calling themselves Guardians of Peace broad latitude to access systems and sensitive data; that …
No two factor auth, for sysadmins
I was actually thinking of what you might call "n-factor" auth. Use a secret sharing scheme to guard the most important passwords and hand them out to your most-trusted staff. The crypto bit makes sure that unless a certain threshold of trusted users all present their key material, nothing can be unlocked.
Bonus points if you have "poisoned" keys that will always raise an alarm if used. A few fake personnel records in various database and you've got a nice honey pot.
Exactly. One would have thought that the Target, Home Depot, etc. might have woke some C-suite types up... but no. They stuck their heads in the sand and continued to reduce costs by cuts in the IT cost center. It'll keep happening.
The only way is for the C-suite occupiers and the board to change their thinking. IT spending may reduce profit in the short term but it keeps the profit flowing.
Oh, come on - Execs don't mandate Admin access controls and policies, and putting effective controls in place wouldn't even register in the average IT budget. The truth is that all too often the people responsible for putting access controls in place don't want the hassle of having their own access constrained. That applies to Admins every bit as much as Execs - but you'd expect an IT pro to know better.
One of my policies as a system administrator, or actually any of my hats, was I had to eat the same dog food as well. Yes, it was a pain in the ass, especially when the brain isn't as agile after a long night of partying, but it kept the complaints down to a grumble whether on the line or in the C-suite. This isn't (necessarily) about IT, it's about any job where you have some authority over another. One of those leadership things but I didn't get it from schools or training. It seemed obvious. Guess it's not {sigh}.
> system administrators and their credentials are the most dangerous threat to companies today,” said Eric Chiu
ODFO, Eric. I know you're just jumping on a bandwagon to sell your products, but we're incredibly loyal considering how we get treated like shit, How about manglement and HR working to improve staff conditions rather than treat us as probable criminals?
E.g. where I'm working we're implementing a Unix/Linux login management system (similar to LDAP plus sudo); Information security are paying for the project as it has obvious benefits for them, but I'm all for it as it means I only have to remember and change one password. So I'll be more productive, less frustrated and happier as a result.
Admin rights on production systems should only be given to System admins for a limited time and strictly based on a specific need (incident resolution or planned changes). Two-factor authentication compulsory for access to critical systems. You should address the question on who's in charge with managing sysadmin rights and privileges for each system judged to be critical. Use a relatively low-tech team to grant those accesses as needed and make sure this team can't access the production systems (hint, use scripts to grant rights and jump-points to control access). On top of it, log every access and audit systems periodically. Add continuous user education to the mix.
You're still vulnerable but will make it a lot harder for intruders.
Keep in mind that a sysadmin frustrated by security policies is still preferable to a gratified intruder.
Eric, you're missing my point. The Login Management mechanism is an enabler as well as a security tool. Feel free to log and audit what I do, but don't get in my way*.
e.g. today I had a problem on a Production system that was querying a failed DNS server. Easy workaround, check another Prod system on the same subnet for a good list of DNS servers and copy the config file to the system that had a problem. Follow up by writing a quick script** to check 700 systems for which DNS servers they are using and remove any bad entries. Result: many minor performance issues resolved quickly and cheaply, many thousands of dollars savings in time for the systems users who had got used to a slight but annoying delay.
Your idealised version of login management would make it virtually impossible to get the required access to a second system to check the config, let alone the rest of the estate.
*Management understand that in general if you give someone Responsibility for an issue, you should give them the Authority to fix that issue. Accountability comes after the fact.
**Yes, this could have been done using a Configuration Management system such as Puppet, or writing a custom Nagios plugin to check configs, but that just shifts the problem of trust and adds cost.
Even better, create a second login name for those who need root access (separate from the regular one they use to access their email and Internet) and elevate the privileges of that login, on a specified server only, for a limited time and only based on a change/incident ticket.
While Snowden was interesting, he was mostly ignored from a security point of view - all the attention was on the information that he released and the external collection methods by NSA et. al. Home Depot and Target were simply retailer attacks and only different in scale to what has been done before and while they were inconvenient for the credit card companies, the overall effects were limited.
I feel that this hack at Sony however is different - unlike the prior attacks this has the potential to destroy the company. Discovering just how this was done will be interesting but it needs to wake us all up to the fact that it can happen to all of us.
Sure, it sounds like Sony's IT security was crap, and I guess we can say the same for Home Depot, Target and the NSA? But that's four very different entry vectors, each of which succeeded to a devastating extent - any admin who's thinking that, "This can't happen to me" needs a good beating with the cluestick,
And here's my stock tip for the new year: Invest in companies with good Penetration Testing reputations.