These days attacks that are being launched on an organization’s computing infrastructure are becoming more sophisticated and potentially more damaging. Threats have escalated as IT organizations are increasingly being asked to provide more services. Security officers are fighting these threats on a daily basis, but their efforts are limited to the effectiveness of various ‘gates’ that are in place. However, these gates are of little use when the attacker has successfully gained access to the machine as the “root” user. This is because there is no easy way to enable the “root” user to manage the computing environment without also giving them unfettered access to the business data that is stored within that environment – like critical data stored in a database or a file server.

Let’s first define what information theft is – any access of sensitive information that is not performed in accordance with the methods provided by the application service and by organizational policies. This form of information theft is typically accomplished by technically capable attackers such as a malicious or compromised “root” user who knows how to get around access controls or exploit existing holes in operating systems and application software.

An outside attacker can gain “root” user privileges via advanced persistent threat (APT) or by exploiting holes in the application software, e.g. buffer overflow or via spear phishing. Irrespective of how the attack is launched the motivation remains the same – gain access to the system as the “root” user. Once the attacker assumes “root” privileges then they can launch all types of attacks to gain access to the sensitive information stored in a database server or a file server as discussed below.

A malicious “root” user is an insider who has access, privilege, skill, motivation, and knowledge of the process. They can access information directly at the operating system layer. The advanced knowledge about the application and system provides the ability to cover-up.

From a security perspective, there are no differences between a compromised or a malicious “root” user. Let’s now see how the “root” user privilege can be abused to gain access to sensitive information.

Privilege Escalation Attack:

A malicious/compromised “root” user can escalate their privileges or assume the identity of another user who has been granted access to sensitive information. This is a very simple type of data theft.

Application Server Attack:

A malicious or compromised “root” user can modify the application server executables or operating system shared libraries thereby compromising the integrity of the server and gain access to data that the server generates and attempts to control. This method can be used to bypass data-at-rest encryption but requires an advanced skill set.

Data Tampering Attack:

Data tampering is generally launched by sophisticated attackers who have an endgame in mind e.g. to either disrupt the normal operation of the organization, or tamper specific data sets to compromise other computing systems that may be used for payroll, accounts payable, or storing trade secrets/intellectual property. This type of attack is very hard to trace. Attackers can use data tampering to manipulate encrypted data sets.

Solution:

Do not trust the “root” user with your data. This obviously is hard to implement. However, a good data security solution must find a way to protect data against attacks launched by a malicious/compromised “root” user. It’s quite true that it’s very hard to prevent a motivated “root” user (nation-state) from accessing sensitive data but one can raise the bar quite significantly. We do this at Server General by implementing advanced access control mechanisms that go above and beyond the POSIX based access controls. Our solutions are designed not to trust the “root” user and therefore deny access to the protected data sets. Contact us if you need additional information about this or other features of our data security solutions.