Why Protect Data Against A Malicious Root User?
These days attacks that are being launched on an organization’s computing infrastructure are becoming more sophisticated and potentially more damaging. Threats have escalated as IT organizations are increasingly being asked to provide more services. Security officers are fighting these threats on a daily basis, but their efforts are limited to the effectiveness of various ‘gates’ that are in place. However, these gates are of little use when the attacker has successfully gained access to the machine as the “root” user. This is because there is no easy way to enable the “root” user to manage the computing environment without also giving them unfettered access to the business data that is stored within that environment – like critical data stored in a database or a file server.
Let’s first define what information theft is – any access to sensitive information that is not performed in accordance with the methods provided by the application service and by organizational policies. This form of information theft is typically accomplished by technically capable attackers such as a malicious or compromised “root” user who knows how to get around access controls or exploit existing holes in operating system and application software.
An outside attacker can gain “root” user privileges via advanced persistent threat (APT) or by exploiting holes in the application software, e.g. buffer overflow or via spear phishing. Irrespective of how the attack is launched the motivation remains the same – gain access to the system as the “root” user. Once the attacker assumes “root” privileges then they can launch all types of attacks to gain access to the sensitive information stored in a database server or a file server as discussed below.
A malicious “root” user is an insider who has access, privilege, skill, motivation, and knowledge of the process. They can access information directly at the operating system layer. The advanced knowledge about the application and system provides the ability to cover-up.
From a security perspective, there are no differences between a compromised or a malicious “root” user. Let’s now see how the “root” user privilege can be abused to gain access to the sensitive information.
Privilege Escalation Attack:
A malicious/compromised “root” user can escalate their privileges or assume the identity of another user who has been granted access to the sensitive information. This is a very simple type of data theft.
Application Server Attack:
A malicious or compromised “root” user can modify the “application server” executables or operating system shared libraries thereby compromising the integrity of the server and gain access to data that the server generates and *attempts* to control. This method can be used to bypass data-at-rest encryption but requires an advanced skill set. Here is an example of how a malicious “root” user can gain access to data encrypted by a database server. Let’s assume that the malicious “root” user has *not* been granted access. The “root” user can attempt to gain access at the OS layer but finds that the data is encrypted. You may think that you have effectively shut out the “root” user by encrypting data and by denying access to the malicious “root” user but that’s not the case. A clever “root” user might be able to replace the encryption library that is used by the database server to encrypt data with a malicious encryption library that sends a copy of the data in clear-text to the “root” user before the data is encrypted.
Data Tampering Attack:
Data tampering is generally launched by sophisticated attackers who have an endgame in mind e.g. to either disrupt the normal operation of the organization, or tamper specific data sets to compromise other computing systems which may be used for payroll, accounts payable, or storing trade secrets/intellectual property. This type of an attack is very hard to trace. Attackers can use data tampering to manipulate encrypted data sets.
Do not trust the “root” user with your data. This obviously is hard to implement. However, a good data security solution must find a way to protect data against attacks launched by a malicious/compromised “root” user. It’s quite true that it’s very hard to prevent a motivated “root” user (nation-state) from accessing the sensitive data sets but one can raise the bar quite significantly. We do this at Server General by implementing access control mechanisms that go above and beyond the POSIX based controls. Both of our solutions, Server General TDE and Server General KMS, are designed not to trust the “root” user and therefore deny access to the protected data sets. Contact us if you need additional information about this or other features of our data security solutions.