The IT and software worlds rely heavily on Linux and Unix, including to run MacOS. For this reason, security teams are often on high alert when major security vulnerabilities are exposed in Linux and Unix systems.
We recently learned that the powerful sudo command, which executes under elevated privileges, could be misused by privileged users or careless users without easy traceability.
Why the Sudo command Vulnerability Could Lead to Insider Threats
Specifically, as long as users had privileges to run the sudo command (i.e. run sudo with an arbitrary user ID), they could also run commands as root, even if root was disallowed as an environment setting. While external intruders would require increased privileges to exploit this bug, internal privileged users and senior developers at most firms already have sudo privileges across many environments.
(Joe Vennix from Apple Information Security found and analyzed the bug, if you want more technical details.)
The Current Status of the Sudo Vulnerability
Luckily, the recent fix by the Linux development community has removed this loophole.
That said, it certainly makes us think about the importance of user and data activity monitoring, especially for privileged users in environments like Linux and UNIX. Our customers have always wanted high visibility into users on Linux- and UNIX-based machines. Information security risks can stem from careless mistakes on sensitive servers impacting the business. There can also be malicious modifications of intellectual property or critical systems, and Insiders who know what they are doing can often successfully mask their true identities.
Take, for example, application administrators or DevOps pros, who often need elevated privileges to push new releases or roll back to an older branch of the codebase. These Insiders have significant privileges that can be abused. Similarly, a disgruntled administrator leaving the firm after being passed up for promotions, could take intellectual property with them to their next gig or run malicious scripts on the way out. The bottom line: Privileged users require extra scrutiny of their actions, not just their access, as a result of their elevated privileges.
Insider Threat Indicators to Employ
So how do we fight back? Some of ObserveIT’s most commonly used real-world insider threat indicators of risk include installations of suspicious tools (e.g. anti-security, hacking or other malicious software) and modifying server configurations to allow more open sharing and accessibility. These often take place within Linux and UNIX server environments, and provide a good reason to employ a dedicated Insider Threat management platform like ObserveIT.