Privileged Users and the Mainframe

by Rob van Hoboken
January 1, 2007

There’s always been debate in the security community about whether the largest threat is internal or external. It appears auditors and regulators have cast their vote: The insider threat has become the hot topic of audits. The threat that’s most concerning is that of the privileged user, and their (usually) unintentional but harmful mistakes. When you consider this threat and the auditors’ focus in the context of a mainframe-specific challenge, you’ll realize why you’ve been so busy lately. With great power comes great responsibility. Do you know who’s being responsible on your mainframe? Can you not afford to find out? You must. Here’s how.

The Privileged User Problem

Study after study confirms that insiders can cause more damage than external hackers. A recent Insider Threat Survey, conducted by the U.S. Secret Service and CERT, confirms that the insider threat usually comes from technical or privileged users.

What scenarios make a Chief Information Security Officer (CISCO) most nervous? In discussions with compliance practitioners, these situations, mixing malicious acts with damaging mistakes, are frequently mentioned:

• Sabotage of information or systems: This category includes physical destruction of network cabling, computing devices, or disabling of electrical or other environmental control.
• Theft of information or computing assets: This category includes theft of anything from digitally stored information, such as customer credit card information, critical financial data, internal product engineering plans, and physical devices.
• Introduction of bad code: This may include time bombs or logic bombs.
• Viruses: While the most significant internal threat is the “ignorant” employee who double-clicks on the email attachment, activating a virus, results from numerous “insider attacks,” surveys show that viruses may be intentionally exploited by hostile employees.
• Installation of unauthorized software or hardware: Common attacks include the installation of Trojans by privileged users.
• Manipulation of protocol design flaws: Protocol weaknesses in TCP/IP can result in a virtual treasure trove of problems, including DNS spoofing, TCP sequence, hijacked sessions and authentication session/transaction replay, denial of service, and TCP_SYN flooding.
• Manipulation of operating system design flaws: Commonly used operating systems, such as Windows and Linux, weren’t designed to be highly secure. Privileged users have easy access to information regarding which vulnerabilities exist and which have been patched. With read/write and administrative access, privileged users can manipulate these design flaws and exercise native vulnerabilities.
• Social engineering: Attackers may use email, Instant Messaging (IM) or telephones to impersonate or pretext employees and administrators to gain usernames, passwords, or escalated privileges to information or systems, and execute Trojan horse programs.

The message here isn’t that privileged users are bad. Absolute power does not, in this case, corrupt absolutely. Privileged users are generally good, but have enough power to make big mistakes. In other words, with great power comes great responsibility.