0

Cyber-Ark Predicts: What’s Next on the Privileged Horizon

Posted on December 15, 2011 by Andrey Dulkin

Over the past year we’ve witnessed several spectacular attacks that demonstrated just how dangerous cyber criminals have become.  These attacks have emphasized that a narrow focus on protecting against the insider threat is short-sighted and that more preventative approaches are needed to guard against external, highly targeted and persistent attacks that focus on high value information such as customer data and intellectual property.  In taking stock of the threat landscape and emerging IT trends, we’ve summarized three key areas that we think will evolve significantly in the coming year, both in terms of technology innovation and risk.

Targeted Attacks: Preventative Protection on the Rise

As an industry, we’ve seen attacks move from opportunistic to increasingly sophisticated and targeted (think Stuxnet), with privileged access rights as a consistently – and perhaps increasingly – popular attack vector. Privileged accounts have proven to be a ‘sweet spot’ for attackers because of the broad, often anonymous access they provide to high value targets.  However, many organizations are still in the early stages of identifying and solving privileged account weaknesses, including those caused by hard-coded passwords, which provides attackers with an extended window of opportunity.

That said, in the coming year we strongly believe that there will be a rise in more preventative approaches to protecting privileged accounts, including better isolation, access control and activity recording. This is due in part to greater awareness, increasing regulations and adoption of best practices, which are all driving significant growth for the privileged identity management market as a whole, and ultimately will help drive down the popularity of privileged accounts as an attack mechanism.

As strong indicators for the increasing need for more proactive privileged account management, consider that as a result of the changing threat landscape that the SANS Institute announced a major update to its 20 Critical Controls earlier this year.  The 20 Critical Controls is a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks from cyber attacks.  Several are directly related to privileged accounts: #8 Controlled Use of Administrative Privileges; #9 Controlled Access Based on the Need to Know and #11 Account Monitoring and Control.

Similarly, in the most recent NIST 800-53 publication that provides the recommended security controls for federal information systems and organizations, there is an emphasis establishing a proactive, preventative approach to privileged account management to achieve FISMA compliance.

SCADA Systems Under Attack: Vulnerabilities Continue to Put Critical Infrastructure at Risk

From weapons systems and water pumps to prison gates, systems not previously considered vulnerable to attack showed up in news headlines over past year.  Those attacks have generated visibility for the fact that many of those systems were not designed with security in mind. Because of the hard-coded or weak/rarely changed passwords in tools like programmable logic controllers or SCADA software, those targets have become accessible to attackers, potentially putting critical infrastructure at risk.

With repeated attacks on the horizon, and building awareness, we expect that in 2012 there will be a notable increase in research dedicated to examining how hardware can be attacked by software, and the use of code to execute attacks particularly in the energy and utilities space.  One early indicator that more research and solutions are needed may be statements made earlier this year by the U.S. Department of Homeland Security that said it was reevaluating whether it makes sense to warn the public about all of the security failings of industrial control system (ICS) and SCADA software – considering re-categorizing design flaws vs. security holes.

One of the main challenges with SCADA systems is that even when knowing about specific vulnerabilities, the cycles to fix them are so slow that it often makes more sense to try and keep the vulnerability confidential so attackers won’t exploit it during the lengthy repair period (remember “security by obscurity,” this of course will not be a long term strategy).

Private Clouds: Hypervisor Weaknesses Exposed

While some hesitancies around public cloud infrastructure may still exist, infrastructure changes resulting from rapid private cloud adoption could result in new risks, the scope of which we may not be fully aware of, yet, organizations will be expected to proactively protect against.  For example, in a private cloud scenario, a virtual machine can sit on multiple servers or be accessible through multiple hosting centers.  A systems administrator may know the virtual machine is accessible, but it’s difficult to know who has access to it, when it was accessed, or what was done once access was achieved.  The hypervisor provides some of that much-needed control, but at the same time becomes an attractive target for attack.  In 2012, protecting against hypervisor threats will quickly become an IT security priority, and, as we achieve greater maturity in the virtualization space, we could potentially see the cost efficiencies of virtualization take a second seat behind increased risk.  We will also see IT security teams taking a more significant role in the initial build-out and deployment of private clouds to initiate much-needed proactive security infrastructure.

What are your thoughts on these 2012 trends to watch? Do you have some of your own to share?

0

Morto A, Brute-Force and the Perpetual Problem of Insecure Privileged Accounts

Posted on September 1, 2011 by Roy Adar

By Roy Adar, Vice President of Product Management, Cyber-Ark Software

Consider these keyboard combinations: *1234, 123, 369, abc123, abcd1234, admin, admin123, letmein, pass, password, test and user.

Not exactly what you’d call strong administrative passwords, but they are some of the combinations the Morto A worm carries in its brute-force library to attack target machines.  According to an article in NetworkWorld, the Morto A worm continues to spread “despite its reliance on a list of lame passwords to take over victim machines.”  Those machines, and all the information on them, are now vulnerable and at the mercy of the virus to delete, corrupt or quietly steal.

We believe that with a few tweaks, this simple brute-force approach can quickly resurface in more targeted attacks. Of course the most obvious response to better protecting organizations against this sort of attack is to limit reliance on “human selected passwords,” particularly related to passwords for privileged accounts.  Ideally, fully random, long passwords can take years to brute-force or may never be cracked.  And, when you consider an organization with thousands of sensitive servers, applications and systems, and hundreds of privileged accounts, automating the generation and management of strong passwords becomes all that more important to making the organization resistant to brute-force attacks.

This attack reminds me of the SQLsnake worm (aka SQLspida) that in 2001-2002 “brute-forced” its way into SQL Servers that had a blank “sa” password (the previous default password).  It was extremely successful in spreading across tens of thousands of SQL Server databases where the default privileged password for “sa” was never changed from manufacturer defaults. While the SQLsnake only tried a single password, the Morto A tries 37 password values. How long before we see viruses that take this to the next level by using internal random generators to try larger scale brute-force attacks?  It may not be long given that the virus does not need to contain a hard-to-disguise dictionary and can leverage the local Microsoft Word dictionary files, for example.

So, improving privileged password management isn’t just a good idea and a security best practice, it’s a business necessity.  Consider the number of cyber attacks in the past year that used a common pathway for entering an organization, via privileged accounts.  While the initial infiltration can use common and rather hard to prevent techniques such as phishing or social engineering, once inside, hackers can fairly easily take advantage of the lack of proper privilege controls.  If hackers can easily brute-force your privileged passwords there is nothing to stop them from jumping from desktop, to applications, to your network core.

It’s been said before, but we subscribe to the notion that organizations need to assume that hackers have already breached the perimeter.  Therefore a proactive approach to implementing internal controls and protecting privileged accounts is a critical building block in your defense strategy.

What are your organization’s best practices for privileged password management?

0

Don’t shy away from data protection audits

Posted on July 6, 2011 by Mark Fullbrook

The UK Information Commissioner, Christopher Graham, today said that businesses should be more willing to undergo data protection audits.  This follows the publication of the Information Commissioner’s Office’s (ICO’s) annual report, which found that just 19 percent of private sector businesses contacted by the ICO following a data breach accepted the offer to undergo free data protection audits*.

Audits are a critical part of any well-run major business, helping to ensure efficiency, productivity, and, with data protection audits, security and accountability – so it’s odd that so many businesses would decline the offer a free data protection audit.

At Cyber-Ark, we believe in developing solutions that not only deliver security, but also help organisations meet audits more effectively.  For example, with comprehensive logging of all privileged activity – including tracking who logged in, what they did and when they did it – meeting an audit can be made far simpler.  Every action is recorded and accountability is assured.

* ICO News Release

0

TechEd2011 Week: Our Q&A with Paul Kenyon, Co-founder and COO of Avecto

Posted on May 18, 2011 by Josh Arrington

Paul Kenyon

Microsoft TechEd North America 2011—an international conference that draws IT developers and professionals from around the globe and encourages engagement and collaboration with Microsoft innovators, third party leaders and industry peers—is now in full swing at the Georgia World Congress Center in Atlanta, Georgia. Cyber-Ark will be on hand to demonstrate the advantages of its Privileged Identity Management Suite as well as the advanced auto-discovery functionality for automating the detection process of all forms of privileged accounts, including the service accounts commonly associated with Microsoft Windows Services. To join the conversation surrounding the event, we decided to check in with one of our partners—Avecto, a pioneer in least privilege technology that enables organizations to deploy secure and compliant desktops—to see what they have planned for the show and beyond.

Read on for our brief Q&A with Paul Kenyon, Co-Founder and COO at Avecto:

Cyber-Ark: What does the Avecto team have in store for attendees and followers of TechEd 2011? Any new technologies and products you anticipate will generate a good deal of buzz at the show?

Paul: Avecto will be demonstrating the latest release of our  privilege management product, Privilege Guard 2.7. Amongst the various new features in the product we have significantly increased the integration with Windows 7 User Account Control (UAC). We see UAC as a great solution for true administrators and home users, but felt that there was some functionality lacking for corporate environments. In Privilege Guard 2.7 we have filled that gap to make Windows 7 migrations simpler and more secure.

Already, Privilege Guard has received the Windows 7 compatibility accreditation, and the product is a snap in to Group Policy and WinRM (a standard feature in Windows 7) for centralizing our events. Specifically, what we have tried to do is avoid making our customers invest in additional architecture to obtain the benefits we provide—and we anticipate this will be received warmly at TechEd.

Cyber-Ark: Last year, Avecto and Cyber-Ark officially announced a strategic partnership to enable the resale of Avecto’s Privilege Guard products to Cyber-Ark’s Privileged Identity Management Suite customers. Can you share some milestones from this partnership in terms of evolving market demand and customer traction, even anecdotally?

Paul: Well to start, the relationship began with a meeting between myself and Udi Mokady, in Ireland, last year. I had suffered for a fall from my Mountain Bike so was looking a little worse for wear, but needless to say, I didn’t want to miss the chance to get together with Udi whilst it was geographically so convenient to meet. It was at that meeting that it became clear that the synergy between our two companies was too great to pass up on the opportunity to partner.

Naturally these things take time to hatch but once all the paperwork had been completed and the partnership launched internally we started to see considerable customer interest arise. Only yesterday I spoke with a prospect who is looking at both our products and was keen to make me aware of the value of purchasing technologies that he knows are compliant with one another from day one.

Cyber-Ark: With security, and IT in general, the focus always seems to be on “What’s Next?” With that in mind, how do you foresee enterprise security practices and technologies, both on-premise and in the cloud, evolving come TechEd 2012?

Paul: Most of the organizations we have spoken to are saying similar things; they have invested in anti-virus, firewalls, intrusion prevention and various other technologies at the perimeter but now they want to further secure desktop and servers inside the network.  More than that, we have seen the increasing demand on CISO’s to improve customer satisfaction which means that they need to implement technology that improves the security of the business but not directly at the expense of user flexibility.

0

Our “Trust, Security and Passwords” Survey Says… Protect Data from the Inside Out

Posted on April 15, 2011 by Adam Bosnian

Yesterday we were proud to release the results of our 5th annual “Trust, Security and Passwords” survey, a survey that has become a valuable indicator of how organizations view enterprise security threats, particularly related to powerful, anonymous privileged users. The findings are the result of online surveys conducted in the spring of 2011 with 1422 IT staff and C-Level executives across North America and EMEA.  This was the first time we reached out to the C-Suite to explore their perspectives on the threat landscape, from both an internal and external perspective.   While the results may have changed over the years, each year some of the findings surprise us while others reaffirm existing beliefs. This year was no different…

With nearly constant news cycles associated with cyber attacks and increased awareness around advanced persistent threats (APT), in many ways it makes sense that 57 percent of global C-level executives agreed that in the next one-to-three years, external threats such as cyber-criminals will become a greater security risk than insider threats.  This could be due to a belief that there are more technologies available and controls in place to “contain” the insider threat, or simply the greater attention being given to cyber-attacks such as those impacting companies like EMC’s RSA Security Division, Epsilon and WordPress.

While this year’s survey emphasized the rise or external threats, it also showed that many organizations are still struggling with insider vulnerabilities. Nearly 1 in 5 (16 percent) of C-level respondents admitted that cases of insider sabotage had taken place within their enterprise and similarly, 16 percent of those respondents also believe that competitors may have received highly sensitive information or intellectual property including customer lists, product information and marketing plans from sources within their own organization. And, with their broad reach and highly privileged, anonymous access to various networks, systems and applications, nearly half (48 percent) of all global respondents chose the IT department as the most likely to snoop – another internal force to contend with.

Despite the entry point into an organization, the end-target is usually the same: highly sensitive intellectual, financial and customer information, which can be accessed through highly-powerful privileged accounts and passwords. This increased focus on external attacks will undoubtedly lead organizations to scramble to build higher walls to protect their critical data – but security teams need to stop building those walls and start better isolating and protecting that data.

0

The RSA Breach and Security Best Practices: The Role of Least Privilege

Posted on March 22, 2011 by Adam Bosnian

got privilege?

As the security industry continues to look for answers and insight to RSA’s recent data breach, we found the security best practices suggested to SecurCare customers valuable for nearly every organization that shares, stores or provides access to sensitive data.  We need to wait and see what emerges from this latest attack to see what vector was used – but we support and re-emphasize the response by RSA to its customers as it provides some valuable, current and real-world lessons every organization needs to follow.

Following are several that are particularly relevant to our customers and partners, including:

• We recommend customers enforce strong password and pin policies.

• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

Let’s dive into the concept of enforcing the rule of least privilege for end-users and security administrators– the idea being to provide only that amount of privilege necessary for a given activity.  When applied to privileged accounts, those used by administrators or applications to access and manage key systems, applications and databases, it becomes a bit harder to do, since these powerful accounts often provide full, unfettered access to enterprise systems and applications.

However, what’s often overlooked is how these accounts can provide unwanted ‘escalation of privileges’ for Advanced Persistent Threat (APT) attacks. These access points, often in the form of embedded or hardcoded passwords, exist in almost every networked system, application or database. We saw this recently with the Stuxnet virus – entering in through an embedded credential in a SCADA system, as well as in the Operation Aurora attacks on several companies’ source code management systems.

While malicious outsiders and insiders have focused often on the administrative credentials on typical systems like servers, databases and the like, in reality, IT organizations need to identify every asset that has a microprocessor, memory or an application/process. From copiers to scanners, these devices all have similar embedded credentials that represent significant organizational vulnerabilities.

At the end of the day, the use of privileged access to exploit vulnerabilities such as hardcoded passwords is a very real threat that provides malicious hackers with new ways into the enterprise. It’s not just about ensuring that your system administrators are equipped with least privileged access, it’s something that every company—security vendors and enterprises alike—needs to recognize and proactively guard against.

What are some of your favorite security best practices, particularly related to managing, monitoring and controlling privileged access?

0

Mark Fullbrook, of Cyber-Ark, talks about their Privileged Session Identity

Posted on March 17, 2011 by Josh Arrington

0

Privileged Conversations at RSA: From the Cloud to the White House

Posted on March 3, 2011 by Adam Bosnian

RSA 2011As it has every year since its inception, the RSA Conference drew a large number of security vendors, researchers, professionals and insiders of all stripes. Not surprisingly, cloud security emerged as one of the most popular themes addressed throughout the conference, partly due to the buzz and anticipation surrounding The Cloud Security Alliance Summit. That said, while the security of the cloud and other virtual environments were certainly focal points for this year’s show, several other important themes, issues and opportunities were addressed that also challenged the notion of status quo security.

As part of the mission of “Privileged Insights,” we are especially intrigued by topics that address the overarching sophistication and evolution of security threats, particularly the exploitation of privileged accounts and identities to access sensitive information. So while the CSM Summit attracted a lot of attention, and Chris Hoff, Director of Cloud and Virtualized Solutions for Cisco, delivered an insightful presentation that illuminated the importance of transparency between cloud providers and customers, it was Salesforce.com CEO Mark Benioff and Chief Trust Officer Jim Cavalieri who added a different twist to the cloud security picture—it’s not just the cloud, it’s the provider’s infrastructure that we need to worry about. Obviously, this is something that resonates well with IT security professionals.

When we examine the infrastructure of a provider’s data center, it’s realistic to expect that it could contain hundreds or thousands of servers, databases, workloads, applications, services and network devices (among other components), all exposing access points for management and control. Some of these access points are extremely powerful (i.e. privileged) while others are not.  Regardless, access points should be accessed only by authorized sources. Cyber criminals understand the potential of these networks of privileged access points and by leveraging these vulnerabilities they have transformed the cyber crime frontier, as seen with many of the recent APT attacks, such as Stuxnet.

As Symantec pointed out in their presentation, the best approach to combat Stuxnet and similar attacks is a coordinated one focused on policy, protection and monitoring controls—all central tenets of privileged identity management.

Similar takeaways were found elsewhere at RSA that justify the importance of employing “privileged insights” to security intelligence.  White House CIO Vivek Kundra explained some of the rationale behind the federal government’s increasing utilization of the cloud, including the importance of continuous monitoring.  Cyber-Ark believes for continuous monitoring efforts to be effective, they must be properly automated by privileged session management solutions. Elsewhere, the CSA officially announced the launch of a new working group, CloudSIRT – cloud security incident and response. Interestingly, a recent survey conducted by CloudSIRT found that privileged user threats were one of the main vulnerabilities recognized by cloud adopters.

The list could go on, but we’re curious, where else did you hear insightful discussions about the power of privilege at RSA?  From our perspective, it seems the discussion is now less about  the education of privileged identity management technology, it’s now evolved to a need to better understand the emerging security and compliance challenges that it can proactively help solve. Do you agree?

0

Celebrating 20 Years: RSA Conference Keeps on Rollin’

Posted on February 14, 2011 by Josh Arrington

Leading up to the RSA Conference, we in the security industry tend to be acutely aware of new threats and breaches. This year is no different, with emerging stories associated with cyber threats like Night Dragon and speculation swirling about the motivation behind the Nasdaq hack.  And, you don’t need another headline to remind you that cloud security is top-of-mind for a majority of RSA attendees.

Cyber-Ark believes that as these cyber threats become more targeted and sophisticated, organizations’ fears about loss of control and lack of security are amplified, particularly in the data center.  This is further reinforced with the increasing dependency on virtual environments, whether on premise or with Cloud Service Providers, where the magnitude of risk increases dramatically by a single privileged access.

This year at RSA (booth #2045), Cyber-Ark is launching a solution that offers continuous protection against internal and advanced external threats in the data center.  That solution is our new Privileged Session Management Suite.  This comprehensive Suite improves compliance and risk management with the ability to isolate, control and record privileged access to databases, virtual environments and servers using a common platform for reduced total cost of ownership.  Users can view session recordings or monitor sensitive events across the entire data center using one web interface or dashboard view, and generate a unified report for audit and compliance purposes.

This Suite is another important step in proactively enhancing an organization’s security posture, particularly as privileged accounts are commonly the target of attack due to the system-wide access they enable. Organizations must isolate and protect their sensitive servers, databases and hypervisors and be able to control and record ‘who’ and ‘what’ are accessing these business-critical systems.

Please join us at RSA, and roll by our booth where our big “Wheel of Privilege” will be turning.  Try your hand for a chance to win an iPad, and, in the words of the iconic Tina Turner, don’t spend another minute worryin’ about the way things might have been. Talk with Cyber-Ark to learn more about steps your organization can take to proactively protect against security threats targeting your most sensitive data, applications and systems.

0

Councils fined for unencrypted laptop theft

Posted on February 8, 2011 by Josh Arrington

The UK Information Commissioner’s Office has today issued two local government councils with fines for breaches of the Data Protection Act. The two bodies were fined £80k / $128k and £70k / $113k  respectively after two unencrypted laptops, containing the details of around 1,700 individuals, were stolen from the home of an employee working on the joint out of hours service for both councils.

What’s particularly interesting in this case is that one of the council’s actually had a policy in place requiring all data to be encrypted – something which they’d evidently failed to roll out organisation-wide.

Given both councils chose to ignore the warning signs, it’s quite clear that more needs to be done to ensure that organisations take data protection more seriously. As we’ve seen in the US with Senate Bill 1386, fines certainly act as a wake-up call to those involved, but education is absolutely essential if staff are to understand the pitfalls that can ensue from poor data protection policies.

With four fines already under its belt, the UK ICO seems set to make its point – issuing a warning only last week to local councils threatening prosecution for failure to implement proper data control procedures.  Unfortunately we’re still seeing the fallout from organisations that are simply not succeeding in protecting valuable data, so it remains to be seen whether such warnings will be taken seriously.  If not, and lessons are to be learned the hard way, at least we can be sure the powers that be will not be turning a blind eye.

Full Article

Pages ... 1 2