Jan 1 ’07
Privileged Users and the Mainframe
There’s always been debate in the security community about whether the largest threat is internal or external. It appears auditors and regulators have cast their vote: The insider threat has become the hot topic of audits. The threat that’s most concerning is that of the privileged user, and their (usually) unintentional but harmful mistakes. When you consider this threat and the auditors’ focus in the context of a mainframe-specific challenge, you’ll realize why you’ve been so busy lately. With great power comes great responsibility. Do you know who’s being responsible on your mainframe? Can you not afford to find out? You must. Here’s how.
The Privileged User Problem
Study after study confirms that insiders can cause more damage than external hackers. A recent Insider Threat Survey, conducted by the U.S. Secret Service and CERT, confirms that the insider threat usually comes from technical or privileged users.
What scenarios make a Chief Information Security Officer (CISCO) most nervous? In discussions with compliance practitioners, these situations, mixing malicious acts with damaging mistakes, are frequently mentioned:
- Sabotage of information or systems: This category includes physical destruction of network cabling, computing devices, or disabling of electrical or other environmental control.
- Theft of information or computing assets: This category includes theft of anything from digitally stored information, such as customer credit card information, critical financial data, internal product engineering plans, and physical devices.
- Introduction of bad code: This may include time bombs or logic bombs.
- Viruses: While the most significant internal threat is the “ignorant” employee who double-clicks on the email attachment, activating a virus, results from numerous “insider attacks,” surveys show that viruses may be intentionally exploited by hostile employees.
- Installation of unauthorized software or hardware: Common attacks include the installation of Trojans by privileged users.
- Manipulation of protocol design flaws: Protocol weaknesses in TCP/IP can result in a virtual treasure trove of problems, including DNS spoofing, TCP sequence, hijacked sessions and authentication session/transaction replay, denial of service, and TCP_SYN flooding.
- Manipulation of operating system design flaws: Commonly used operating systems, such as Windows and Linux, weren’t designed to be highly secure. Privileged users have easy access to information regarding which vulnerabilities exist and which have been patched. With read/write and administrative access, privileged users can manipulate these design flaws and exercise native vulnerabilities.
- Social engineering: Attackers may use email, Instant Messaging (IM) or telephones to impersonate or pretext employees and administrators to gain usernames, passwords, or escalated privileges to information or systems, and execute Trojan horse programs.
The message here isn’t that privileged users are bad. Absolute power does not, in this case, corrupt absolutely. Privileged users are generally good, but have enough power to make big mistakes. In other words, with great power comes great responsibility.
As ISO17799 points out, “Inappropriate use of system administration privileges (any feature or facility of an information system that enables the user to override system or application controls) can be a major contributory factor to the failures or breaches of systems.”
Auditors and regulators are concerned, too. In one Sarbanes-Oxley (SOX) audit after another, the message is clear: Get control over your privileged users.
The Mainframe Challenge The old, reliable mainframe (a.k.a. Enterprise Server) is alive and kicking, but the mainframe provides a unique privileged user challenge. One of the cost-saving aspects of z/OS systems— the high “users to technicians ratio”— opens up new challenges for data center managers. Additional efficiency improvements in security management have allowed data center management to reduce the size of security management teams down to the level where conventional separation of duties is no longer feasible. Today, each staff member wears multiple hats, even if that violates good change management and audit policy. Smaller shops may run with one security administrator and use the systems programmer as backup and technical consultant. Even in large mainframe installations, there’s typically only one security administrator who really understands z/OS, the legacy applications, and how these are defined to the security product.
In such installations, the lead security administrator may have tasks ranging from:
- Defining the security structure for new applications
- Granting authority
- Cleaning up obsolete structures
- Keeping house when the help desk can’t shoulder the load
- Identifying data exposures
- Fixing misconfigured parameters
- Investigating and escalating incidents.
Since the lead security administrator is the only person who understands the ins and outs, he becomes an untraceable, self-supervising agent. In a typical environment, he would have the ability to change any security rule or parameter, and simultaneously bypass those rules. In a RACF system, he might have system special and operations and might even require the auditor attribute to run some standard reports. In CA-ACF2, he might have the security attribute and bypass rule validation. In Unix, he might need UID(0) to create new home directories. When all these authorities accrue to the same person, you have a Super User.
Just as in the “X-Men” movie, the all-powerful person may become dangerous when motivated by the wrong priorities. When your security administrator decides the situation merits drastic actions, you may find yourself in the scene where Magneto moves the Golden Gate Bridge to get to Alcatraz. But unlike the visual effects we see in the movie, your security administrator may be completely invisible to others because he’s the only person who looks at the logs.
The regulations tell you to implement change management procedures, apply separation of authorities, provide reporting of all actions of privileged users, etc. But when cost-savings have forced you to rely on a small team to get the job done, how can you make sure they did the right thing? When it’s impractical to limit administrator authority and privileges, a simple alternative is to monitor their activity and make sure all parties are aware of it. Psychological research has shown that a closed-circuit camera does wonders to keep people honest.
Monitoring users isn’t only a good scare tactic for keeping employees from doing bad things, it also can be used to support the technical staff. With the right technology supporting privileged user monitoring initiatives, an administrator can show exactly what controls they’ve implemented and changed, proving they’ve completed their job to their best ability. Privileged user monitoring ensures that executives can be confident their power users aren’t manipulating reports and conducting activity detrimental to the company.
In one example, a freight-handling agency dealt with shipping manifests of many publicly traded companies. The manifests could be used to deduce the production volumes of the company and predict their revenue. With such information, one could predict the stock price, opening the door to violations of Securities and Exchange Commission (SEC) rules. In the company’s SOX compliance project, the agent requested that access to these files be limited to financial staff, but implementing changes in storage management and security infrastructure proved impractical.
The technical teams pointed out that they would be unable to live up to the Service Level Agreement (SLA) when such changes were made. As an alternative measure, real-time alerts were used to notify the data security team when systems programmers used their privileges to read confidential data. With this measure and others, the agency met its regulatory requirements and proved to customers that confidential information would be appropriately handled.
Figure 1 shows a chart of best practices for organizations to implement to address a privileged user threat without hindering productivity.
Privileged users are an unavoidable factor in running an IT system, and usually, they benefit the business. Cost pressures mean that one person often has several roles; these same pressures mean implementing all the controls you’d like isn’t affordable. When business priorities prevent a thorough redesign of the security definitions, monitoring of log files or real-time alerts can be used as an effective and low-impact alternative to keep your privileged users honest—and ensure none of that power is abused. Z
- U.S. Secret Service and CERT, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, May 2005 www.cert.org/insider_threat/insidercross.html
- CSI/FBI Computer Crime and Security Survey 2006, July 2006, www.gocsi.com/.