The data breach that recently affected Global Payments caused a lot of concerns, especially after it came to light that around 1.5 million cardholders might have been impacted.
Since some voices claimed that an unprotected administrative account might have been the source of the incident, we decided to ask for an objective expert opinion regarding the matter.
Subhash Tantry, the CEO of Fox Technologies, Inc. (FoxT), a company that specializes in access management solutions, was kind enough to share some insight regarding the rumors that surround the unfortunate event. He also provided some great advice for companies on how to protect their infrastructures.
Gartner Analyst Avivah Litan speculated that a reason behind the breach could be that the hackers took over an administrative account that was not protected well enough. If it were to be true, would it surprise you? Based on your experience, how would you grade companies in general in this sector of Internet security? Subhash Tantry:
That hackers can take over an administrative account does not surprise me. Historically, most enterprises have focused their attention on perimeter control in terms of bad people and bad things like a virus penetrating the perimeter of their enterprise and wreaking havoc on their internal systems.
Perimeter control typically involves technologies such as firewalls, authentication mechanisms and anti-virus/spam and other such software. Perimeter control does address a most important concern.
However, when outsiders break through the perimeter using hacking, phishing and other vectors, the outsider becomes an insider at which point all bets are off.
One of the biggest Achilles heels of enterprise security is that there is too much trust of their current employees and the devices they bring on their own. This leads to a lackadaisical approach to implementing and enforcing security policies within the perimeter.
What is needed is multiple layers of security enforcement through automated tools to prevent a threat from the inside or prevent a threat from an outsider pretending to be an insider!
In fact, a recent survey of CIOs, CSOs, CTOs, CEOs, System Administrators etc. by Fox Technologies, Inc and Echelon One suggests that more than 70percent of surveyed organizations have the potential for insider fraud.
This is because of their inability to control user accounts across servers and applications and the fact that they have not implemented an automated way to control role-based access of users to applications and servers, including controlling what a user can get to and do when they have such access. Softpedia:
What should other companies learn from the incident? Subhash Tantry:
Enterprises should focus on taking a multi-layered security approach when they define their security policies. They should also implement automated tools to enforce their access control policies.
The critical requirements from an automated solution should include the ability to centrally administer user accounts in a role-based manner across diverse servers and applications, enforcement of granular authorization policies, and automatic consolidation of user activity logs for simplified audit reporting, including keystroke or video-playback logs.
I would also say it is important for the solution to include alerting mechanisms that can proactively and reactively deny access based on a forensic analysis of audit logs that may reveal suspicious activity, be it from inside the perimeter or outside. Softpedia:
In theory, it's clear that organizations should learn certain things from the breaches that affect others, but what about in practice? In the past 7 years, since FoxT has been active, have you noticed an evolution in the way organizations protect their infrastructure? Subhash Tantry:
FoxT’s solutions provide the critical security layers within the perimeter of an enterprise to prevent insider fraud. The bellwether of FoxT’s customer base in the past has been financial services and government organizations in the Western World.
Such industries have sensitive information in their servers such as customer information, financial information, criminal records and state secrets, which when breached, has dire consequences. They have been the earliest adopters of solutions that control access to servers and applications, especially privileged user access management.
Because of the size of these organizations, they have also been the first to realize that home-grown solutions and open-source solutions such as sudo have their limits.
Recently, new industries are waking up to the threat of insider fraud including hi-tech, which wants to protect IP against industrial espionage, telcos that need to protect customer information, retailers wanting to be PCI compliant, utilities that need to be FERC/NERC compliant, and healthcare providers that need to protect health records from insiders to comply with HIPAA.
We feel that we are at the cusp of a major boom for our solutions as the market realizes that a multi-layered implementation of security policies is imperative. Softpedia:
How is Global Payments handling the incident? They made many statements that don't match the ones made by other companies involved, such as Visa. Should they be more transparent? Subhash Tantry:
Any incident like this, particularly in the payments industry, will understandably put the company in a crisis mode where they are trying to figure out what actually happened. This can lead into statements that do not match, particularly when there could be insider leaks and outsiders second guessing.
First and foremost I think they need to be transparent about what happened with the appropriate people within the company so that they can do a clean root cause analysis to resolve the issue and make sure that the probability of it happening again is dramatically reduced.
Once they have this learning in place and in control, they should share it transparently with the rest of the world in terms of the best practices that they have implemented. This will reduce this happening elsewhere soon. There are many copycat hackers and insiders out there who need to be thwarted. Softpedia:
Global Payments is a large company and the threats posed by a data breach are obvious. But what about smaller companies? What are the risks posed by the improper management of administrator accounts for small and medium businesses? Subhash Tantry:
All companies, including small ones, need to assess their security threats from outsiders, insiders, outsiders pretending to be insiders and insiders who have left the company. The smaller companies could then assess what type of security layers they need both from the outside in and from the inside.
Based on that and the number users, desktops (BYODs) and servers they can implement security tools either from Open Source sources or simple solutions that may not scale in the long term as they grow but are good enough for now.
In order to reduce the scale of implementation issue, all companies need to classify their users through some kind of security clearance mechanism into roles and grant privileged access appropriately.
The same should be done for servers and desktop as to which of them can have sensitive information that need a higher level of protection.
It would be wise to restrict sensitive information to reside in a few well backed-up servers, desktops and storage devices to reduce the overall cost of deployment along with the associated trailing costs. And, always encrypt your most sensitive information with the keys to the kingdom granted and monitored on a need to know only basis. Softpedia:
Please provide some tips on how administrator accounts could be properly protected. Subhash Tantry:
• Define and enforce who can access what systems, when, from where, and using which protocols, including management of SSH down to the sub-service level;
• Enforce contextual, multifactor authentication to servers that contain sensitive data as a seamless part of the authorization process;
• Require privileged users to logon using their own password or token, and transparently provide elevated privileges without sharing the password;
• Control which commands can be executed by privileged users;
• Capture keystroke logs or video for sensitive sessions;
• Provide automated alerts for problematic behavior. Softpedia:
What can FoxT offer to companies who want to reinforce their security measures in the admin accounts sector? Subhash Tantry:
FoxT provides several Enterprise Access Management solutions based on a single platform to cover the four A's of a sophisticated Identity and Access Management suite ─ Administration, Authentication, Authorization and Audit logging.
The suite of solutions centrally administers the identities of user accounts, hosts (desktops, servers), hostgroups and applications, roles (user account groups) and the associated access control policies.
The FoxT solution suite is designed specifically to work seamlessly with an organization’s existing directories (AD and LDAP) and identity management systems, as well as SIEM solutions such as ArcSight and RSA Envision to streamline the overall provisioning and reporting process.
FoxT access control policy engine proactively enforces authentication and authorization policies in real-time:
• To authenticate user accounts, hosts and applications using a multi-factor authentication method depending on the context (who, from where to where, time of day, access method) of the access;
• To authorize in terms of the fine-grained methods of access that are allowed to be used by user accounts to access applications and hosts and what commands they can execute on hosts;
• To audit log all account activity including keystroke logging depending on the context and the commands being executed and applications being accessed.
The FoxT Enterprise Access Management Solution Suite include ServerControl for privileged user management, ApplicationControl to control access to business applications such as Oracle and SAP as well as custom applications, SSHControl to enforce fine grained authorization at SSH sub-protocol level, and PasswordControl for vaulting passwords and for managing shared account passwords. Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1