How to Mitigate Data Breach by using Secured Privileged Identity Management Solution

How to Mitigate Data Breach
by using Secured Privileged
Identity Management Solution
Presenter: Roy Tsang
Snowden case: Privileged accounts are the
master keys to corporate networks
As Snowden told: "When you're in positions of privileged
access, like a systems administrator, for these sort of
intelligence community agencies, you're exposed to a lot
more information on a broader scale than the average
employee ... Anybody in the positions of access with the
technical capabilities that I had could, you know, suck out
secrets."
By identifying and accessing privileged accounts, an unscrupulous insider can easily roam far and
wide inside an organization's network. Such accounts function, in effect, as master keys to the
deepest, most sensitive parts of an organization's digital assets.
The Privilege ID Dilemma
“48% of data breaches were caused by privileged misuse”
Proactively manage privileged access to prevent such attacks
Privileged ID are everywhere Data Breaches happening?
Local Admin
Root
Database
Network Switch
Security Appliance,
Applications
Service account
Your Risks & Challenges
• Your Risks
Insider Threats
Third Party Risk
(Outsourcing, Contractor,
Vendor)
• Your Challenges
Audit & Compliance
Management,
Business User
Cyber Attack
Regaining the Control over Privileged Administrative
Accounts
Enterprise policy enforcement
Frequent Auto Change
Dual Control
One-time Password
Unique strong password
Comprehensive Accountability
Segregation of Duties
Exclusive Password Access
Outsourcing Control
User Activity Monitoring
Strong Auditing
•
Enterprise Readiness
Long-term, secured Storage
Availability during Disaster
Recovery
Easy to deploy
Agentless
Non-Intrusive
Support extensive platforms
Never Review the Password
Session Recording
Text Command Recording
DBA Activities
Agent-less
Application Integration Ready
Support extensive programming
language
Local Cache
Common middleware support
Protect the last stand
of our battle
Privilege Attack Vectors: Let’s Start with the Simple Trial & Errors
Administrator’s end-point
Periodic
Passwords
Change
Servers
Periodic
Passwords
Change
Periodic
passwords
Change
Once inside the network, the attacker
employs various attack-vectors to
Periodic
achieve his target.
Passwords
Databases
Change
Trying to use default
privileged passwords
Virtual Machines
Periodic
Passwords
Change
Malicious Code
Application Servers
Privilege Attack Vectors: Then Hijack the Administrator!
Administrator’s end-point
Co
nn
ec
to
ve
rp
ro
xy
Privileged
erver Privileged
sensitive S
to
y
tl
c
e
ir
d
Session
Session
Connect
Isolation
Monitoring
Conne
ct dire
c
tly to s
Servers
ensitiv
e data
base
Databases
Malware “sees
pixels” and cannot
access the assets
Exploit vulnerable end-point to
directly access core assets
(Malware, Key Logging, Memory Mapping)
Privileged Session Manager
Secure Proxy Control-Point
Virtual Machines
Session is running on an
isolated secure proxy, not
on the end-point
Malicious Code
Application Servers
Privileged Identity
Management Solution
Vulnerable Privileged Account Types
Shared Predefined:
UNIX root
Administrative
Administrative
Accounts
Accounts
Cisco enable
DBA accounts
Windows domain
Etc.
Help Desk
Operations
Emergency
Legacy applications
Developer accounts
Hard-coded, embedded:
Application
Application
Accounts
Accounts
Not owned by any
person or “identity”
Service Accounts:
Resource (DB) IDs
Windows Service Accounts
Application / Generic IDs
Scheduled Tasks
Batch jobs
COM+
Testing Scripts
IIS Application Pool
Windows Local administrator:
Personal
Personal
Computer
Computer
Accounts
Accounts
Owned by the system:
Shared:
Desktops
Laptops
Security Posture Assessment
No installation required… single executable with immediate
insight to non compliant accounts
Summarized results on top of report
Detailed list of all accounts discovered and flagging
11
Protecting Administrative Accounts
System
User
Pass
Unix A
root
Unix B
root
Unix C
root
Oracle A
SYS
Oracle B
SYS
tops3cr3t
tops3cr3t
tops3cr3t
orac1e
orac1e
tops3cr3t password1
orac1e psw4adm
T&y3p0L
O8=p<zZ
Qom$3#a
nc7Sd3R
mN85p:a
j7t5QdC
l+zM6t1
O9^aziA
Iu~1@r
P9i$b%
0in7$&x
cqg8@fz
lm7yT5w
iaX3f#!
Log5%t
gvIna9%
o70X#jJ
R73#myOb2@1
x8wF$2
iIt$8sa
PSM
Servers
O8=p<zZ
O8=p<zZ
Person
al
System
User
Pass
Oracle A
TEST
Oracle A
PPRD
Oracle A
QUAL
Oracle A
CONV
Oracle A
TRNG
Oracle A
PROD
password1
password2
password3
password4
password5
password6
System
User
Pass
Desktop A
Administrator
Desktop B
Administrator
Laptop C
Administrator
psw4adm
psw4adm
psw4adm
ID
Peter John
CPM
Databases
PCs




Digital Vault
Hidden Account Discovery
Concise Accountability of Shared Account
Enforce Access Control
Intrusion Detection
Case Studies
13
Major Local Bank in Hong Kong
- Working with HKMA to implement effective PIM Solution
Business Challenges
• Determine the extent to feedback to HKMA on their PIM guidelines
• Scattered Privileged Accounts lack cohesive policy and process
• Lacking transparency into Privileged Activities
Why Cyber-Ark?
Key Benefits
• Complements HKMA PIM Guidelines
• Improved Manageability & Security
• Comprehensive and Systematic PIM
Solution
• Fulfills and exceeds HKMA
Requirements
• Manages all platforms and Privileged
IDs using a single platform
• Concise Audit Trail and Reporting
BIG SIX Casino
- Meeting ISO27001 / 27002
Business Challenges
• Requirement to adhere to ISO 27001 / 27002
• Access Control Management is complicated to be realized
• Lack means to document adherence to Standards
• Tasks carried out on servers lack transparency
Why Cyber-Ark?
• A Single Platform to manage all
Privileged Accounts to Servers,
Network Devices, etc
• Implement Access Control to use the
Accounts / Passwords
Key Benefits
• Concise Control of Access to
Managed Devices
• Fine-grain management over who
access what and when
• Comprehensive Records
• Run Regular Reports to show
compliance
• Minimal Operational Overheads
SAFP of Hong Kong
- Challenges of an Managing Cloud Environment
Business Challenges
• Enforcing IT Security Guide G3
• Manual management operation overloaded with new cloud infrastructure
• Outsourced Infrastructure cannot be controlled
Why Cyber-Ark?
• Support extensive platform including
VMware and Cloud infrastructure
• Comprehensive reporting for audit
purpose
• Capability of integrating ticketing
system
Key Benefits
• Streamline IT operations
• Enforcing IT Security Guide G3
requirements
• Thin management over outsourced
infrastructure
Global 500 Insurance Company in China
- Challenges of hard coded application password
Business Challenges
• Hard coded password in over 1000+ application
• Over 50,000 Privileged IDs
• Limited resource for application team
• Heavy overhead to update hard coded password
Why Cyber-Ark?
• Mature technology for Application
•Smart cache to guarantee application
server performance
• Proven solution among global
enterprises
• Scalable solution
Key Benefits
• Extend password policy enforcement
to application
• Automated password change even on
application
• Standardize password policy for the
entire corporation
Securing Administrative Accounts Strategies
18
QUESTIONS?
19
THANK YOU
20
“How Can I Ensure Only Trusted Applications Get The Password?”
My Server
Application
Requests
Credentials
Application Password
Provider
Provider authenticates
Application by:
 Path
 Signature/Hash
 OS User
 Machine Address
Vault
Cyber-Ark API
UserName = GetUsername()
Central Policy
Manager
Password = GetPassword()
Host = GetAddress()
Ongoing password
changes are transparent
ConnectDatabase
Database
to applications
(Host,UserName,Password)

Hard Coded Passwords – A Major Vulnerability
Point
Configuration Files &
Databases
Web Config Files
Websphere
Weblogic
Application Servers
JBoss
Service Accounts
Hard-Coded,
Application
Databases
Embedded Credentials
Third Party
Applications
Clear-text
Windows service
passwords
intasks
Scheduled
INI/Text Files
UserName
= “app”
Apache
connection
strings
Password = “y7qeF$1”
IIS application
pool
Tomcat
Host = “10.10.3.56”
found
in
IIS
Directory
ConnectDatabase(Host, UserName, Password)Security
(Java)
J2EE Application Serversdatasource
COM+
and webconfig (IIS)
Registry
files create serious
security risks
IIS for Windows® Server
Also in registry, FTP credentials and more
Eliminate Hard Coded Password
UserName = “app”
Password = “y7qeF$1”
Host = “10.10.3.56”
ConnectDatabase(Host,
UserName, Password)
Vault
Cyber-Ark API
UserName = GetUsername()
Password = GetPassword()
Host = GetAddress()
ConnectDatabase
(Host,UserName,Password)
Supported APIs: CLI, Java, .Net, COM, C/C++
on Windows, RHEL, SUSE Linux/zLinux, Solaris, AIX, HP-UX