How to Mitigate Data Breach by using Secured Privileged Identity Management Solution Presenter: Roy Tsang Snowden case: Privileged accounts are the master keys to corporate networks As Snowden told: "When you're in positions of privileged access, like a systems administrator, for these sort of intelligence community agencies, you're exposed to a lot more information on a broader scale than the average employee ... Anybody in the positions of access with the technical capabilities that I had could, you know, suck out secrets." By identifying and accessing privileged accounts, an unscrupulous insider can easily roam far and wide inside an organization's network. Such accounts function, in effect, as master keys to the deepest, most sensitive parts of an organization's digital assets. The Privilege ID Dilemma “48% of data breaches were caused by privileged misuse” Proactively manage privileged access to prevent such attacks Privileged ID are everywhere Data Breaches happening? Local Admin Root Database Network Switch Security Appliance, Applications Service account Your Risks & Challenges • Your Risks Insider Threats Third Party Risk (Outsourcing, Contractor, Vendor) • Your Challenges Audit & Compliance Management, Business User Cyber Attack Regaining the Control over Privileged Administrative Accounts Enterprise policy enforcement Frequent Auto Change Dual Control One-time Password Unique strong password Comprehensive Accountability Segregation of Duties Exclusive Password Access Outsourcing Control User Activity Monitoring Strong Auditing • Enterprise Readiness Long-term, secured Storage Availability during Disaster Recovery Easy to deploy Agentless Non-Intrusive Support extensive platforms Never Review the Password Session Recording Text Command Recording DBA Activities Agent-less Application Integration Ready Support extensive programming language Local Cache Common middleware support Protect the last stand of our battle Privilege Attack Vectors: Let’s Start with the Simple Trial & Errors Administrator’s end-point Periodic Passwords Change Servers Periodic Passwords Change Periodic passwords Change Once inside the network, the attacker employs various attack-vectors to Periodic achieve his target. Passwords Databases Change Trying to use default privileged passwords Virtual Machines Periodic Passwords Change Malicious Code Application Servers Privilege Attack Vectors: Then Hijack the Administrator! Administrator’s end-point Co nn ec to ve rp ro xy Privileged erver Privileged sensitive S to y tl c e ir d Session Session Connect Isolation Monitoring Conne ct dire c tly to s Servers ensitiv e data base Databases Malware “sees pixels” and cannot access the assets Exploit vulnerable end-point to directly access core assets (Malware, Key Logging, Memory Mapping) Privileged Session Manager Secure Proxy Control-Point Virtual Machines Session is running on an isolated secure proxy, not on the end-point Malicious Code Application Servers Privileged Identity Management Solution Vulnerable Privileged Account Types Shared Predefined: UNIX root Administrative Administrative Accounts Accounts Cisco enable DBA accounts Windows domain Etc. Help Desk Operations Emergency Legacy applications Developer accounts Hard-coded, embedded: Application Application Accounts Accounts Not owned by any person or “identity” Service Accounts: Resource (DB) IDs Windows Service Accounts Application / Generic IDs Scheduled Tasks Batch jobs COM+ Testing Scripts IIS Application Pool Windows Local administrator: Personal Personal Computer Computer Accounts Accounts Owned by the system: Shared: Desktops Laptops Security Posture Assessment No installation required… single executable with immediate insight to non compliant accounts Summarized results on top of report Detailed list of all accounts discovered and flagging 11 Protecting Administrative Accounts System User Pass Unix A root Unix B root Unix C root Oracle A SYS Oracle B SYS tops3cr3t tops3cr3t tops3cr3t orac1e orac1e tops3cr3t password1 orac1e psw4adm T&y3p0L O8=p<zZ Qom$3#a nc7Sd3R mN85p:a j7t5QdC l+zM6t1 O9^aziA Iu~1@r P9i$b% 0in7$&x cqg8@fz lm7yT5w iaX3f#! Log5%t gvIna9% o70X#jJ R73#myOb2@1 x8wF$2 iIt$8sa PSM Servers O8=p<zZ O8=p<zZ Person al System User Pass Oracle A TEST Oracle A PPRD Oracle A QUAL Oracle A CONV Oracle A TRNG Oracle A PROD password1 password2 password3 password4 password5 password6 System User Pass Desktop A Administrator Desktop B Administrator Laptop C Administrator psw4adm psw4adm psw4adm ID Peter John CPM Databases PCs Digital Vault Hidden Account Discovery Concise Accountability of Shared Account Enforce Access Control Intrusion Detection Case Studies 13 Major Local Bank in Hong Kong - Working with HKMA to implement effective PIM Solution Business Challenges • Determine the extent to feedback to HKMA on their PIM guidelines • Scattered Privileged Accounts lack cohesive policy and process • Lacking transparency into Privileged Activities Why Cyber-Ark? Key Benefits • Complements HKMA PIM Guidelines • Improved Manageability & Security • Comprehensive and Systematic PIM Solution • Fulfills and exceeds HKMA Requirements • Manages all platforms and Privileged IDs using a single platform • Concise Audit Trail and Reporting BIG SIX Casino - Meeting ISO27001 / 27002 Business Challenges • Requirement to adhere to ISO 27001 / 27002 • Access Control Management is complicated to be realized • Lack means to document adherence to Standards • Tasks carried out on servers lack transparency Why Cyber-Ark? • A Single Platform to manage all Privileged Accounts to Servers, Network Devices, etc • Implement Access Control to use the Accounts / Passwords Key Benefits • Concise Control of Access to Managed Devices • Fine-grain management over who access what and when • Comprehensive Records • Run Regular Reports to show compliance • Minimal Operational Overheads SAFP of Hong Kong - Challenges of an Managing Cloud Environment Business Challenges • Enforcing IT Security Guide G3 • Manual management operation overloaded with new cloud infrastructure • Outsourced Infrastructure cannot be controlled Why Cyber-Ark? • Support extensive platform including VMware and Cloud infrastructure • Comprehensive reporting for audit purpose • Capability of integrating ticketing system Key Benefits • Streamline IT operations • Enforcing IT Security Guide G3 requirements • Thin management over outsourced infrastructure Global 500 Insurance Company in China - Challenges of hard coded application password Business Challenges • Hard coded password in over 1000+ application • Over 50,000 Privileged IDs • Limited resource for application team • Heavy overhead to update hard coded password Why Cyber-Ark? • Mature technology for Application •Smart cache to guarantee application server performance • Proven solution among global enterprises • Scalable solution Key Benefits • Extend password policy enforcement to application • Automated password change even on application • Standardize password policy for the entire corporation Securing Administrative Accounts Strategies 18 QUESTIONS? 19 THANK YOU 20 “How Can I Ensure Only Trusted Applications Get The Password?” My Server Application Requests Credentials Application Password Provider Provider authenticates Application by: Path Signature/Hash OS User Machine Address Vault Cyber-Ark API UserName = GetUsername() Central Policy Manager Password = GetPassword() Host = GetAddress() Ongoing password changes are transparent ConnectDatabase Database to applications (Host,UserName,Password) Hard Coded Passwords – A Major Vulnerability Point Configuration Files & Databases Web Config Files Websphere Weblogic Application Servers JBoss Service Accounts Hard-Coded, Application Databases Embedded Credentials Third Party Applications Clear-text Windows service passwords intasks Scheduled INI/Text Files UserName = “app” Apache connection strings Password = “y7qeF$1” IIS application pool Tomcat Host = “10.10.3.56” found in IIS Directory ConnectDatabase(Host, UserName, Password)Security (Java) J2EE Application Serversdatasource COM+ and webconfig (IIS) Registry files create serious security risks IIS for Windows® Server Also in registry, FTP credentials and more Eliminate Hard Coded Password UserName = “app” Password = “y7qeF$1” Host = “10.10.3.56” ConnectDatabase(Host, UserName, Password) Vault Cyber-Ark API UserName = GetUsername() Password = GetPassword() Host = GetAddress() ConnectDatabase (Host,UserName,Password) Supported APIs: CLI, Java, .Net, COM, C/C++ on Windows, RHEL, SUSE Linux/zLinux, Solaris, AIX, HP-UX
© Copyright 2024