In-Depth
Overcoming Security Pains in UNIX Environments
Getting a handle on UNIX vulnerabilities is no easy task.
By Roy Adar, Vice President of Product Management, Cyber-Ark Software
There are many advantages to a UNIX operating system, including its flexibility, ability for installation on many different types of machines, stability, and overall processing power. Unfortunately, security is not one of its strong suits. With cyber attacks occurring more frequently, and auditors cracking down on IT's ability to secure (and prove its security) its infrastructure, it is vital for IT administrators to understand the vulnerabilities of UNIX systems in order to protect their organization from experiencing a devastating data breach and risking non-compliance.
Protecting the "Keys to the Kingdom"
The typical IT environment is comprised of thousands of servers, databases, network devices, and applications -- all of these are controlled and managed by a variety of privileged and shared administrative identities. As a quick refresher -- privileged accounts represent the most powerful users in any organization, often referred to as "the keys to the kingdom." Despite this power, these identities are typically shared, known by many in an organization, and worst yet, are rarely changed.
In a UNIX system, these privileged accounts include the "root" or "oracle" accounts. To put it simply -- the administrator role gives the user the power to configure virtually every aspect of the system, so managing and controlling these accounts is critical to enterprise security.
The term "privilege" should not and does not refer simply to the access these accounts afford. It refers to what can be done with that access. Mismanaged privilege poses a devastating risk to any organization, including financial loss (Société Générale), regulatory penalties, customer loss, and severe damage to a enterprise's reputation (San Francisco/Terry Childs).
Reducing the risk from privileged accounts calls for accountability -- knowing who used the account, for what purposes, when, etc… This information reduces the insider threat and meets compliances challenges without loss of productivity.
How can you protect these privileged accounts? Start by identifying the four critical requirements for managing these accounts:
1. Personalize shared and super user account usage. The "root" account is not attached to a specific person; personalizing credentials allows you to identify who did what, when, and why.
2. Secure the account credentials. Secure passwords in protected storage and ensure they are available wherever and whenever needed, independent of outages.
3. Create central and flexible policy definitions. Use a system that automatically manages privileged accounts and enforces enterprise policy with no human intervention.
4. Monitor and log activity. Once privileged accounts are personalized you can trace and correlate all actions performed by users and ensure they cannot be tampered with at any stage to meet audit and regulatory requirements.
Sudo: The Illusion of Security
To manage privileged accounts in UNIX, sudo has emerged as an open source option for many organizations.
Organizations look to sudo for its perceived "low cost" for personalization of accounts and its basic logging abilities. However, to reiterate what Gartner Analyst Mark Diodati has said, "Sudo is not up to the task for large scale UNIX security deployments." Therefore, this perceived "low cost" can quickly turn into a huge financial loss for an organization.
If you are considering sudo for your UNIX environment, consider this list of some of the productivity, compliance and security challenges that arise when centralizing privilege and access with sudo:
- Both the sudo audit logs as well as their policies are written and stored on local file systems meaning they are not secured from tampering with. Because of this security flaw, sudo is perceived by many organizations as not compliant with audit and regulatory standards.
- In times of an audit, unnecessary time will be spent creating reports that combine sudo's separate audit logs.
- Sudo lacks a local agent, which reduces the level of security because there is no separation between the end user and the actual execution of the command itself.
- With no support center, it is impossible to contact someone when there is an issue with sudo. This can severely impact productivity.
- The open source nature of sudo means there are no dedicated QA experts to methodically test the product from the security feature and function aspects.
Realizing its weaknesses, sudo recently announced that its latest version, Sudo 1.8, allows for an external policy server. This means organizations can implement a secure policy server that identifies elevated commands that can run without exposing the root password to the user. To avoid the other major pitfalls associated with sudo, organizations should look for a solution with central management capabilities, unified policy, and central audit, and one that has undergone strict testing methodologies.
Other UNIX Vulnerabilities
Along with the privileged vulnerabilities discussed -- here are a few other areas you need to be aware of when securing your UNIX environment.
Hard-coded passwords in applications: It's commonplace for software developers to provide access to administrators during the development process -- often through embedded credentials, most notably hard-coded passwords. Once these credentials are embedded in clear text within the application code, scripts, applications server data sources, or configuration files, they are visible to developers, DBAs, and IT personnel. Organizations must replace hard-coded passwords with a tool that ensures these passwords are no longer visible and are changed periodically without causing any application downtime. Moreover, authenticating an application that is requesting credentials will enhance security even further.
Third parties connecting to a root session: If your server is managed by a third-party vendor and you're worried that they need to connect to a root session, you should be worried. Avoid disclosing privileged account credentials for these third parties by allowing a transparent, single sign-on remote connection.
What actually happens in a root session? This is the first question you will want answered if your organization suffers a data breach and it is the first thing auditors want to know when testing for compliance. To tackle audits with confidence, you must understand what commands were performed by privileged users in a root session. Personalizing and monitoring third-party vendors and internal IT staff with easy playback and search capabilities will ensure that you are aware of who is accessing root accounts and what actions they are taking -- keeping auditors happy and enhancing security within your organization.
Managing SSH Keys: SSH keys were developed to eliminate the use of shared root passwords in the UNIX environment but bring with them their own security issues. They are challenging to replace and because their usage is anonymous, there is no accountability when misused. The keys have no central management and they can be stolen or leaked because they are held in local files that can be hacked. There are few options for organizations looking to enhance security while using the vulnerable SSH keys, but with a privileged account solution there is no need for the keys at all.
Native UNIX Privileged Single Sign-On: Have you ever had to log on to multiple UNIX machines and found that you are spending an unnecessary amount of time entering a root password for every machine? This is a common issue within the UNIX environment, and although there are options to solve this pain, the tradeoff is weaker security. A solution that both records a session and enables single sign-on would solve the problem without sacrificing system security especially when wanting to manage privileged users holistically.
Conclusion
Securing your organization should not affect the productivity of your IT personnel, but they must understand the security pains specific to their operating system to effectively protect mission-critical enterprise data. Although many security solutions are available for the UNIX environment, it is this true understanding that will allow administrators to choose the solutions that will not only protect the organization from failing an audit but also guard against the increasingly sophisticated cyber-attacks and insider threats.
Roy Adar is vice president of product management at Cyber-Ark Software where he is responsible for leading definition and delivery of Cyber-Ark product lines, product positioning, and the overall product road map. You can contact the author at roya@cyber-ark.com..