It seems like there have been a lot of hacks lately targeting passwords and specialized accounts. Every week, some company has lost its password database. If their database wasn't compromised, perhaps their login accounts were brute forced or even their social media credentials leaked and the hilarity ensued.
One of the things that worries me about these kinds of attacks isn't the method that is being used to compromise everything. It's the attack surface. The bad guys are targeting accounts and policies that are commonly used by people to access data. Or the attackers are picking accounts that multiple people access regularly, like Twitter logins or Facebook accounts. In an effort to simplify things for users, admins have created one or two login/password combinations and given them out to people to use for things like adding users or tweeting about the latest hot product.
While the idea of unifying all your accounts is noble, you must be careful who holds these keys and how quickly you can change the locks in case they get out. When the system administrator account is hacked, how do you prevent access? How can you ensure where the exposure came from, whether it be a keylogger on the network admin's workstation or an inadvertent insecure login from a junior administrator from shared wi-fi at the coffee shop? We must take into account that sharing user accounts between users is a bad idea when it comes to accountability, one of the three "A"s of security.
In my mind, the solution has already come from the wireless world. Wireless users have always been hard to track because of their mobile nature. They need protection tied to who they are. The days of a shared WEP key are long gone. In their place, we have user-based authentication and role-based access permissions. In the event of a compromise or leak, the necessary steps can be made to revoke the keys without needing to change all the locks. This also allows for better logging and discovery of problems when they occur. If all your users are doing admin tasks under their own accounts, you'll know when one of them starts doing things at odd hours or starts deleting user accounts wholesale.
Yes, I know that these are all "best practice" ideas when it comes to security. However, the reason they call them best practices is because no one seems to do them in real life. I think we should make controls like this mandatory from now on. Like logging in with the system administrator account only long enough to delegate responsibility to another account. I've seen this advice used for certificate authority servers. Create the root CA and use it to sign a delegate server, then shut the root off and lock it in a closet somewhere. Good advice for all the CAs that seem to be getting compromised, eh? Maybe doing that with admin accounts is a good idea too.
In the end, we're never going to be able to prevent security problems. All we can hope to do is minimize the attack area. If your target is tiny and your exposure is small, hopefully the bad guys looking to make a name for themselves will move on to other targets. Even if we get exposed, being able to plug the hole quickly will prevent the damage from escalting to the point of issuing a press release apologizing for all the trouble. That makes for a safe kingdom indeed.
