0

“The Compromise of Privileged Accounts was a Crucial Factor in 100% of APTs”: CyberSheath Releases the First APT/Privileged Account Research Report

Posted on April 24, 2013 by John Worrall

This week the Cyber-Ark team is excited to announce the availability of an important and revealing new research report: “APT Privileged Account Exploitation.” This is the first IT security industry report that truly highlights the distinct connection between the misuse of privileged accounts and Advanced Persistent Threats (APTs). While we have been warning organizations of this connection for some time now, this report brings to light the severity of the situation and the frequency of the “privileged connection” in significant and newsworthy cyber attacks.

To compile this comprehensive research report, CyberSheath’s advanced security investigations team interviewed CISOs and security professionals at organizations that collectively have more than $40 billion in annual revenues and more than 170,000 employees around the globe. They combined the results of those interviews with the analysis of several high-profile cyber attacks (including South Carolina Department of Revenue, The University of Georgia, the NASA Jet Propulsion Library, Red October and more) with related industry research to reach their revealing results. The report found that in 100% of these advanced attacks – privileged accounts were compromised.  If the data from this report isn’t a wake up call for organizations, then we don’t know what is. As you will also read,  attacks that leveraged these accounts were found to be more difficult to detect and stop, as well as more damaging and expensive to fix.

CyberSheath also provided best practices for organizations to follow that we here at Cyber-Ark couldn’t be more supportive of—including  the requirement to implement the right tools to isolate, monitor and control every access point to all critical business systems, as well as  secure, manage, and automatically log all activities associated with administrative and privileged accounts.

We have two versions of the report available based on your interest: one for business leaders  and one for security operations pros.

0

Worried About Your Next Audit? Advanced Threats? Get to Know Your Privileged Accounts

Posted on April 1, 2013 by Sharron Malaver

In Biology, DNA encodes the genetic instructions used in the development and functioning of all known living organisms.  DNA is found in every living cell and is the foundation for control over the organism.

The same could be said about privileged and administrative accounts in the enterprise.  These powerful accounts are at the root of almost every enterprise function and exist throughout the IT infrastructure.  These accounts are found on desktops, laptops, databases, applications, network devices, and throughout cloud deployments.

Organizations want to manage these powerful accounts in order to minimize the associated risk of leaving them unattended constituting critical points of attack on the organization. However, often organizations are not aware just how many privileged accounts they have or where they exist. Since this information is scattered across the organization there is a real challenge to attain a true picture as to the status of privileged accounts.

This is why Cyber-Ark recently introduced Cyber-Ark DNA™ (Discovery & Audit) – the industry’s first stand alone solution that rapidly locates all privileged, shared and generic accounts without having to install anything on target machines.

Identifying privileged accounts has traditionally been a manual process – taking hundreds of hours of time from IT and creating a long and complex audit process.  Given the number and variety of privileged accounts, identifying these accounts manually and gaining an accurate picture when they were last changed or used, has been impossible.  Cyber-Ark DNA is the Watson/Crick of the Privileged Account Genome – enabling organizations to expose the magnitude of the privileged account security risk within their organization and get accurate insight into the compliance status of these accounts in preparation for the next audit.

Identifying the Privileged Pathway

Cyber-Ark is currently offering businesses the opportunity to use Cyber-Ark DNA for a free self-assessment to discover where their privileged accounts – and risk – exist.

One customer, who wished to remain anonymous, recently used Cyber-Ark DNA and made some startling discoveries.  The company was looking for a solution to manage privileged domain accounts.  Cyber-Ark DNA was run on about 100 servers.  This included servers that were part of the company’s effort to outsource some IT functions.

Cyber-Ark DNA discovered two things across these servers:

  • Some of the servers scanned had unmanaged admin accounts created by the IT outsourcer and had not been changed for more than 200 days, despite being used recently which presented a tremendous security risk;
  • Employees who had left the company created personal admin accounts which was a substantial audit finding

This discovery led to significant policy changes for the organization and put the management of local admins on a much higher priority level.

Why is this important? Privileged accounts are increasingly being used as high value attack points in almost every advanced attack, and were the root cause of breaches such as Saudi Aramco, Stuxnet, Red October, Subway Restaurants, Global Payments, the Utah and South Carolina breaches, and the U.S. Department of Energy among others.

Every privileged account is a potential attack point. Unmanaged and unprotected privileged accounts are a white flag to cyber-attackers that indicates your intellectual property and sensitive data is open for business.

Learn more about Cyber-Ark DNA and get a free assessment

0

Protecting Privileged Accounts can be the Difference Between “Managing” and “Securing” File Transfers

Posted on January 10, 2013 by Oded Valin

In the digital world in which we live, securing file transfers is critically important to personal and corporate security. Every day we send and receive sensitive information with the expectation that the services we use help us keep it secure.

But, as we re-learn constantly, vendors calling themselves ‘secure’ doesn’t always make it so. The latest egregious example is found in a high profile vulnerability discovered in a managed file transfer service used internally by Facebook employees:
http://yro.slashdot.org/story/13/01/08/1949210/serious-password-reset-hole-in-accellion-secure-ftp

In short, the vulnerability allowed an attacker to create a new user account, log in with that new account and change the password of another user, even if that other user had full administrative privileges. After that, a would-be attacker has a clear shot at any of the data in the file transfer application. Ouch!

Unfortunately, that’s what can happen when security is added as an afterthought and is not a core design principal built into the product from the ground up.

Given that Cyber-Ark’s business is all about privileged accounts and securing critical data from advanced attacks, we do know something about this. If you are looking at a truly secure file transfer service that won’t put your critical data at grave risk, here are some things you need to look for.

  1. The process used to create new users should not rely on public, generic URLs, but have a full set of security controls and optional secure workflows in place.
  2. The entire password resent process should work in a secure way:
    • It shouldn’t rely only on a HTTP POST request without asking for the user’s current password or using a unique link.
    • It shouldn’t transfer confidential parameters in a POST request without encrypting it with something stronger than BASE64.
    • The reset function should use a unique link with an expiration period, not a public, generic and insecure link.
    • It should offer the option of adding personal security question challenges to the process.
  3. Session management should be done in a secure way using a unique session ID and unique tokens. It cannot be part of the URL.
  4. Executable code should be obfuscated
  5.  The file repository should be fully encrypted and separated from the web application server in case the web portal is attacked.
  6. Follow the National Institute of Standards and Technology (NIST) guidance and “require your vendor to demonstrate that their software development processes employ state-of-the-practice software and security engineering methods, quality control processes and validation techniques”.

This sounds basic – but it’s part of the due diligence that every business should do to truly understand the level of security that has been built into the product. Just because a vendor claims to offer “secure” file transfer or cloud sharing, doesn’t make it so.

If security really matters to you, (and it should,) your best bet would be to start with a company with a “security first” approach, and the credentials to back it up.

0

Was your car stolen? Blame an unprotected privileged account

Posted on January 8, 2013 by John Worrall

We’ve often referred to privileged accounts as the “Keys to the Kingdom” given the wide ranging access they provide.  But are privileged accounts the “Key” to your car as well?  Maybe, if you drive a BMW.    Nick Barron posted an article in SC Magazine UK this week demonstrating why this may be the case:  BMWs: Gone in 60 keystrokes – SC Magazine UK.

For BMWs new “keyless” cars, there is an administrative function that allows mechanics to service and repair the car.  It also provides them access to the information needed to initialize a new key.  Seems odd, but so far, it’s not a real problem.  Unless, of course, that same function is available to anyone, and not just to your trusted garage mechanic.  To make matters worse, the car alarm couldn’t detect the tampering.  Car thieves have a clear shot.

This is a perfect example of what commercial and government organizations face with their IT-based resources.  Certain “privileged accounts” are built into nearly every IT product to allow authorized administrators to service and repair the systems.  Used properly, and by trusted, authorized people, they present no problem.  But of course, in malicious or careless hands, these accounts can cause catastrophic damage.

Best practices are emerging around a three-stage approach to managing these potential vulnerabilities.   First, protect the credentials to these accounts, so only authorized users can access them. Next, add accountability.  Ensure that every time a privileged account is used, you know who the specific user is, what they did with the account and why they did it. Finally, provide real-time intelligence on how these account are being used so that any potential misuse can be addressed immediately, and not after the damage is done.

Using the BMW example for the purpose of illustration, here’s how it might play out if proper privileged account controls are in place.  First, access to the administrative function would be limited to authorized personnel only.  Every action taken using the account should be recorded, with the owner being able to review exactly what work was done, which mechanic did it and why.  And of course, a real-time alert on the car owner’s smart phone telling them that the key was cloned would be very helpful in trying to catch the thief before they drove away with the $60,000 car.

I realize I’m ignoring many realities of cars and mechanics, of which I know very little.  But it’s a great way to think about the privileged account problem in our IT infrastructure.  Protection. Accountability. Intelligence.

0

Cyber-Ark Predicts: What’s Next on the Privileged Horizon

Posted on December 15, 2011 by Andrey Dulkin

Over the past year we’ve witnessed several spectacular attacks that demonstrated just how dangerous cyber criminals have become.  These attacks have emphasized that a narrow focus on protecting against the insider threat is short-sighted and that more preventative approaches are needed to guard against external, highly targeted and persistent attacks that focus on high value information such as customer data and intellectual property.  In taking stock of the threat landscape and emerging IT trends, we’ve summarized three key areas that we think will evolve significantly in the coming year, both in terms of technology innovation and risk.

Targeted Attacks: Preventative Protection on the Rise

As an industry, we’ve seen attacks move from opportunistic to increasingly sophisticated and targeted (think Stuxnet), with privileged access rights as a consistently – and perhaps increasingly – popular attack vector. Privileged accounts have proven to be a ‘sweet spot’ for attackers because of the broad, often anonymous access they provide to high value targets.  However, many organizations are still in the early stages of identifying and solving privileged account weaknesses, including those caused by hard-coded passwords, which provides attackers with an extended window of opportunity.

That said, in the coming year we strongly believe that there will be a rise in more preventative approaches to protecting privileged accounts, including better isolation, access control and activity recording. This is due in part to greater awareness, increasing regulations and adoption of best practices, which are all driving significant growth for the privileged identity management market as a whole, and ultimately will help drive down the popularity of privileged accounts as an attack mechanism.

As strong indicators for the increasing need for more proactive privileged account management, consider that as a result of the changing threat landscape that the SANS Institute announced a major update to its 20 Critical Controls earlier this year.  The 20 Critical Controls is a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks from cyber attacks.  Several are directly related to privileged accounts: #8 Controlled Use of Administrative Privileges; #9 Controlled Access Based on the Need to Know and #11 Account Monitoring and Control.

Similarly, in the most recent NIST 800-53 publication that provides the recommended security controls for federal information systems and organizations, there is an emphasis establishing a proactive, preventative approach to privileged account management to achieve FISMA compliance.

SCADA Systems Under Attack: Vulnerabilities Continue to Put Critical Infrastructure at Risk

From weapons systems and water pumps to prison gates, systems not previously considered vulnerable to attack showed up in news headlines over past year.  Those attacks have generated visibility for the fact that many of those systems were not designed with security in mind. Because of the hard-coded or weak/rarely changed passwords in tools like programmable logic controllers or SCADA software, those targets have become accessible to attackers, potentially putting critical infrastructure at risk.

With repeated attacks on the horizon, and building awareness, we expect that in 2012 there will be a notable increase in research dedicated to examining how hardware can be attacked by software, and the use of code to execute attacks particularly in the energy and utilities space.  One early indicator that more research and solutions are needed may be statements made earlier this year by the U.S. Department of Homeland Security that said it was reevaluating whether it makes sense to warn the public about all of the security failings of industrial control system (ICS) and SCADA software – considering re-categorizing design flaws vs. security holes.

One of the main challenges with SCADA systems is that even when knowing about specific vulnerabilities, the cycles to fix them are so slow that it often makes more sense to try and keep the vulnerability confidential so attackers won’t exploit it during the lengthy repair period (remember “security by obscurity,” this of course will not be a long term strategy).

Private Clouds: Hypervisor Weaknesses Exposed

While some hesitancies around public cloud infrastructure may still exist, infrastructure changes resulting from rapid private cloud adoption could result in new risks, the scope of which we may not be fully aware of, yet, organizations will be expected to proactively protect against.  For example, in a private cloud scenario, a virtual machine can sit on multiple servers or be accessible through multiple hosting centers.  A systems administrator may know the virtual machine is accessible, but it’s difficult to know who has access to it, when it was accessed, or what was done once access was achieved.  The hypervisor provides some of that much-needed control, but at the same time becomes an attractive target for attack.  In 2012, protecting against hypervisor threats will quickly become an IT security priority, and, as we achieve greater maturity in the virtualization space, we could potentially see the cost efficiencies of virtualization take a second seat behind increased risk.  We will also see IT security teams taking a more significant role in the initial build-out and deployment of private clouds to initiate much-needed proactive security infrastructure.

What are your thoughts on these 2012 trends to watch? Do you have some of your own to share?

0

Morto A, Brute-Force and the Perpetual Problem of Insecure Privileged Accounts

Posted on September 1, 2011 by Roy Adar

By Roy Adar, Vice President of Product Management, Cyber-Ark Software

Consider these keyboard combinations: *1234, 123, 369, abc123, abcd1234, admin, admin123, letmein, pass, password, test and user.

Not exactly what you’d call strong administrative passwords, but they are some of the combinations the Morto A worm carries in its brute-force library to attack target machines.  According to an article in NetworkWorld, the Morto A worm continues to spread “despite its reliance on a list of lame passwords to take over victim machines.”  Those machines, and all the information on them, are now vulnerable and at the mercy of the virus to delete, corrupt or quietly steal.

We believe that with a few tweaks, this simple brute-force approach can quickly resurface in more targeted attacks. Of course the most obvious response to better protecting organizations against this sort of attack is to limit reliance on “human selected passwords,” particularly related to passwords for privileged accounts.  Ideally, fully random, long passwords can take years to brute-force or may never be cracked.  And, when you consider an organization with thousands of sensitive servers, applications and systems, and hundreds of privileged accounts, automating the generation and management of strong passwords becomes all that more important to making the organization resistant to brute-force attacks.

This attack reminds me of the SQLsnake worm (aka SQLspida) that in 2001-2002 “brute-forced” its way into SQL Servers that had a blank “sa” password (the previous default password).  It was extremely successful in spreading across tens of thousands of SQL Server databases where the default privileged password for “sa” was never changed from manufacturer defaults. While the SQLsnake only tried a single password, the Morto A tries 37 password values. How long before we see viruses that take this to the next level by using internal random generators to try larger scale brute-force attacks?  It may not be long given that the virus does not need to contain a hard-to-disguise dictionary and can leverage the local Microsoft Word dictionary files, for example.

So, improving privileged password management isn’t just a good idea and a security best practice, it’s a business necessity.  Consider the number of cyber attacks in the past year that used a common pathway for entering an organization, via privileged accounts.  While the initial infiltration can use common and rather hard to prevent techniques such as phishing or social engineering, once inside, hackers can fairly easily take advantage of the lack of proper privilege controls.  If hackers can easily brute-force your privileged passwords there is nothing to stop them from jumping from desktop, to applications, to your network core.

It’s been said before, but we subscribe to the notion that organizations need to assume that hackers have already breached the perimeter.  Therefore a proactive approach to implementing internal controls and protecting privileged accounts is a critical building block in your defense strategy.

What are your organization’s best practices for privileged password management?

0

Don’t shy away from data protection audits

Posted on July 6, 2011 by Mark Fullbrook

The UK Information Commissioner, Christopher Graham, today said that businesses should be more willing to undergo data protection audits.  This follows the publication of the Information Commissioner’s Office’s (ICO’s) annual report, which found that just 19 percent of private sector businesses contacted by the ICO following a data breach accepted the offer to undergo free data protection audits*.

Audits are a critical part of any well-run major business, helping to ensure efficiency, productivity, and, with data protection audits, security and accountability – so it’s odd that so many businesses would decline the offer a free data protection audit.

At Cyber-Ark, we believe in developing solutions that not only deliver security, but also help organisations meet audits more effectively.  For example, with comprehensive logging of all privileged activity – including tracking who logged in, what they did and when they did it – meeting an audit can be made far simpler.  Every action is recorded and accountability is assured.

* ICO News Release

0

TechEd2011 Week: Our Q&A with Paul Kenyon, Co-founder and COO of Avecto

Posted on May 18, 2011 by Josh Arrington

Paul Kenyon

Microsoft TechEd North America 2011—an international conference that draws IT developers and professionals from around the globe and encourages engagement and collaboration with Microsoft innovators, third party leaders and industry peers—is now in full swing at the Georgia World Congress Center in Atlanta, Georgia. Cyber-Ark will be on hand to demonstrate the advantages of its Privileged Identity Management Suite as well as the advanced auto-discovery functionality for automating the detection process of all forms of privileged accounts, including the service accounts commonly associated with Microsoft Windows Services. To join the conversation surrounding the event, we decided to check in with one of our partners—Avecto, a pioneer in least privilege technology that enables organizations to deploy secure and compliant desktops—to see what they have planned for the show and beyond.

Read on for our brief Q&A with Paul Kenyon, Co-Founder and COO at Avecto:

Cyber-Ark: What does the Avecto team have in store for attendees and followers of TechEd 2011? Any new technologies and products you anticipate will generate a good deal of buzz at the show?

Paul: Avecto will be demonstrating the latest release of our  privilege management product, Privilege Guard 2.7. Amongst the various new features in the product we have significantly increased the integration with Windows 7 User Account Control (UAC). We see UAC as a great solution for true administrators and home users, but felt that there was some functionality lacking for corporate environments. In Privilege Guard 2.7 we have filled that gap to make Windows 7 migrations simpler and more secure.

Already, Privilege Guard has received the Windows 7 compatibility accreditation, and the product is a snap in to Group Policy and WinRM (a standard feature in Windows 7) for centralizing our events. Specifically, what we have tried to do is avoid making our customers invest in additional architecture to obtain the benefits we provide—and we anticipate this will be received warmly at TechEd.

Cyber-Ark: Last year, Avecto and Cyber-Ark officially announced a strategic partnership to enable the resale of Avecto’s Privilege Guard products to Cyber-Ark’s Privileged Identity Management Suite customers. Can you share some milestones from this partnership in terms of evolving market demand and customer traction, even anecdotally?

Paul: Well to start, the relationship began with a meeting between myself and Udi Mokady, in Ireland, last year. I had suffered for a fall from my Mountain Bike so was looking a little worse for wear, but needless to say, I didn’t want to miss the chance to get together with Udi whilst it was geographically so convenient to meet. It was at that meeting that it became clear that the synergy between our two companies was too great to pass up on the opportunity to partner.

Naturally these things take time to hatch but once all the paperwork had been completed and the partnership launched internally we started to see considerable customer interest arise. Only yesterday I spoke with a prospect who is looking at both our products and was keen to make me aware of the value of purchasing technologies that he knows are compliant with one another from day one.

Cyber-Ark: With security, and IT in general, the focus always seems to be on “What’s Next?” With that in mind, how do you foresee enterprise security practices and technologies, both on-premise and in the cloud, evolving come TechEd 2012?

Paul: Most of the organizations we have spoken to are saying similar things; they have invested in anti-virus, firewalls, intrusion prevention and various other technologies at the perimeter but now they want to further secure desktop and servers inside the network.  More than that, we have seen the increasing demand on CISO’s to improve customer satisfaction which means that they need to implement technology that improves the security of the business but not directly at the expense of user flexibility.

0

Our “Trust, Security and Passwords” Survey Says… Protect Data from the Inside Out

Posted on April 15, 2011 by Adam Bosnian

Yesterday we were proud to release the results of our 5th annual “Trust, Security and Passwords” survey, a survey that has become a valuable indicator of how organizations view enterprise security threats, particularly related to powerful, anonymous privileged users. The findings are the result of online surveys conducted in the spring of 2011 with 1422 IT staff and C-Level executives across North America and EMEA.  This was the first time we reached out to the C-Suite to explore their perspectives on the threat landscape, from both an internal and external perspective.   While the results may have changed over the years, each year some of the findings surprise us while others reaffirm existing beliefs. This year was no different…

With nearly constant news cycles associated with cyber attacks and increased awareness around advanced persistent threats (APT), in many ways it makes sense that 57 percent of global C-level executives agreed that in the next one-to-three years, external threats such as cyber-criminals will become a greater security risk than insider threats.  This could be due to a belief that there are more technologies available and controls in place to “contain” the insider threat, or simply the greater attention being given to cyber-attacks such as those impacting companies like EMC’s RSA Security Division, Epsilon and WordPress.

While this year’s survey emphasized the rise or external threats, it also showed that many organizations are still struggling with insider vulnerabilities. Nearly 1 in 5 (16 percent) of C-level respondents admitted that cases of insider sabotage had taken place within their enterprise and similarly, 16 percent of those respondents also believe that competitors may have received highly sensitive information or intellectual property including customer lists, product information and marketing plans from sources within their own organization. And, with their broad reach and highly privileged, anonymous access to various networks, systems and applications, nearly half (48 percent) of all global respondents chose the IT department as the most likely to snoop – another internal force to contend with.

Despite the entry point into an organization, the end-target is usually the same: highly sensitive intellectual, financial and customer information, which can be accessed through highly-powerful privileged accounts and passwords. This increased focus on external attacks will undoubtedly lead organizations to scramble to build higher walls to protect their critical data – but security teams need to stop building those walls and start better isolating and protecting that data.

0

The RSA Breach and Security Best Practices: The Role of Least Privilege

Posted on March 22, 2011 by Adam Bosnian

got privilege?

As the security industry continues to look for answers and insight to RSA’s recent data breach, we found the security best practices suggested to SecurCare customers valuable for nearly every organization that shares, stores or provides access to sensitive data.  We need to wait and see what emerges from this latest attack to see what vector was used – but we support and re-emphasize the response by RSA to its customers as it provides some valuable, current and real-world lessons every organization needs to follow.

Following are several that are particularly relevant to our customers and partners, including:

• We recommend customers enforce strong password and pin policies.

• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

Let’s dive into the concept of enforcing the rule of least privilege for end-users and security administrators– the idea being to provide only that amount of privilege necessary for a given activity.  When applied to privileged accounts, those used by administrators or applications to access and manage key systems, applications and databases, it becomes a bit harder to do, since these powerful accounts often provide full, unfettered access to enterprise systems and applications.

However, what’s often overlooked is how these accounts can provide unwanted ‘escalation of privileges’ for Advanced Persistent Threat (APT) attacks. These access points, often in the form of embedded or hardcoded passwords, exist in almost every networked system, application or database. We saw this recently with the Stuxnet virus – entering in through an embedded credential in a SCADA system, as well as in the Operation Aurora attacks on several companies’ source code management systems.

While malicious outsiders and insiders have focused often on the administrative credentials on typical systems like servers, databases and the like, in reality, IT organizations need to identify every asset that has a microprocessor, memory or an application/process. From copiers to scanners, these devices all have similar embedded credentials that represent significant organizational vulnerabilities.

At the end of the day, the use of privileged access to exploit vulnerabilities such as hardcoded passwords is a very real threat that provides malicious hackers with new ways into the enterprise. It’s not just about ensuring that your system administrators are equipped with least privileged access, it’s something that every company—security vendors and enterprises alike—needs to recognize and proactively guard against.

What are some of your favorite security best practices, particularly related to managing, monitoring and controlling privileged access?

Pages ... 1 2