Saturday, July 18, 2015

Drive your computer using your valet key

A long time ago in a galaxy far, far away, there was me, pre-CSO, doing lots of vulnerability scanning and reporting.  A big part of that was (and still is) helping our many businesses prioritize the patching of these vulnerabilities in order to protect their most important data.

I would examine system vulnerabilities and focus primarily on the ones that were externally exploitable (called "level 5 vulnerabilities", the most severe in our vulnerability management software).  Important, of course, because allowing an attacker into a system easily isn't a good thing.  Other vulnerabilities, including "local privilege escalation vulnerabilities" -- vulnerabilities that allow someone who is already on a computer to use an exploit to escalate their privileges to a higher level, such as "Administrator" -- were a lower priority.  Why?  Because I didn't realize how important these vulnerabilities are.

In the years following, I have learned penetration testing.  I've had the opportunity to participate in many "capture the flag" exercises, including SANS NetWars Continuous, SANS Holiday Hack Challenges, exploitable virtual machines and online capture the flag games.  Man, I've learned a bunch.  And I continue to have many opportunities to apply this learning in my daily work.

One of the important things I've learned is that successful penetration testing relies heavily on "local privilege escalation."  I often gained access to an account or computer but did not have the privileges necessary to access the real gold, such as password hashes, domain credentials, databases, etc. ("flags"). It finally hit me that local privilege escalation vulnerabilities ROCK!  A simple software exploit got me all the privileges I needed.  From an impact perspective, they are about as dangerous as external vulnerabilities since they allow an attacker much easier access to the crown jewels of an enterprise.

Many (if not most) users already make this job easy for an attacker.  They do their daily web browsing or email reading using an account that either has full administrative access to their computer, or worse yet, full access to business information that has great value.  Those who "drive their daily computer use" using an account that they also use to administer their servers and services should be very afraid.  Most of the systems we see compromised have been when the user is browsing the web, downloading software, clicking on email links or opening email attachments.  Often times the attacker is given access to the computer with the same level of privileges as the victim user.  If the user has high-level privileges already? As I've often stated with joy while doing pen testing, "we have WINNER!" :)  It's like landing a nice mountain trout on your first fly.

Since then, as part of my regular live awareness courses I talk about this particular variation of "least privilege."  Using real attack demonstrations I try to show how much easier it is for an attacker to steal the good stuff from users who insist on "convenience" at the expense of security.  For this year's training, the best mental illustration I've been able to come up with is the concept of a valet key.

A valet key is a key for your car that is different from your normal car key.  Valet keys usually can unlock the driver's side door and start the car, but the can't unlock the trunk or the glove box. This key is normally used when someone else operates your vehicle, such as a valet parking attendant. They aren't perfect (they don't prevent a vehicle from being stolen), but they do make it harder for someone who has the key to access your valuables in the trunk or your glove box.

Using this example, this year's awareness training emphasizes "driving your day-to-day computer use using your valet key."  That "key" is your account, in this case.  If an attacker compromises that key, it can be much harder for them to access your "valuables". 

How does one drive their day-to-day computer use using a valet key?  By using an account that doesn't have local administrative privileges.  By using a separate, higher privileged account for accessing valuable information or for managing servers and services.  Or even by ensuring that in order to use their higher privileges, two factor authentication is required.  And not using their "higher privileged key" for anything other than what it is for.

Sure, it's an inconvenience if you need to fish for your "higher privileged key" when you need to access your valuables, or plug it in each time you need to do something that has greater importance, like installing software.  But along with the importance of keeping your computers patched and protected from those awesome local privilege escalation exploits, driving your computer with your valet key will make it tougher for the bad guys to succeed.

No comments:

Post a Comment