0

Are You Ready to Take the Next Jump? Secure your IT Environment with Next Gen Jump Servers

Posted on February 4, 2013 by John Worrall

If you happen to read our blog and industry commentary on a regular basis, then you understand our commitment to highlighting the direct connection between privileged accounts and advanced internal threats and cyber attacks. In almost every cyber attack, there is a link between the pathway used by the hackers and poor security around privileged accounts.

However, while privileged accounts exist everywhere – on servers, databases, network devices, in your telephony system, embedded in applications –in 2011, according to the 2012 Verizon Data Breach Investigations Report, 94% of the data stolen during sophisticated cyber attacks came from servers.

One way to proactively mitigate the impact of these data breaches is to attain separation between sensitive and non-sensitive assets within your network. By creating an isolated zone, organizations can, conceivably, minimize the risk that a potential attacker could access sensitive data.

One traditional approach to creating this separation involves the use of jump servers, also known as jump hosts, golden hosts, jump boxes or bastion hosts. However, much like other conventional security approaches—such as firewalls and other perimeter security initiatives—simply deploying jump servers ignores the impact of the privileged connection. The fact remains that, while isolation of sensitive assets (via a jump server solution) is indeed a mandatory security step to control access to sensitive data, something is missing. The problem, of course, is that if the solution is unable to create the only

control point into the target server (a privileged account), then a malicious insider or external attacker can still hijack the privileged administrator password, bypass the whole jump server solution and cause havoc.

Fortunately, there may be a solution, and it is not simply locking down privileged accounts through proactive management and continuous monitoring. As we outline in a new whitepaper, aptly titled, “Isolation, Control & Monitoring in Next Generation Jump Servers,” unlike homegrown jump servers that still require a privileged credential to access targets system, a new class of Next Generation Jump Servers can effectively be deployed to merge isolation, control and monitoring into a single solution to truly protect an organization’s sensitive business information. Take a look at the whitepaper to learn more and to understand how you can create isolation that blocks the spread of desktop malware and monitors for malicious activity—all while protecting the privileged accounts through pre-defined workflows enforced for every privileged session.

And of course, make sure to check out our integrated solution, Privileged Session Management (PSM) Suite, which acts as a secure proxy that organizations can use to isolate, control and monitor all privileged access to sensitive servers, databases or virtual machines.

 

0

The Hunt for Red October: Privileged Accounts Persist as Common Attack Vector

Posted on January 22, 2013 by John Worrall

Last week, another significant and advanced cyber-attack has caught the security headlines for all of the right—and wrong—reasons. The attack was first uncovered by researchers at Kaspersky Lab who identified what they described as a “high-level cyber-espionage campaign” that has infiltrated networks at diplomatic, governmental and scientific research organizations over the past five years. While the target of the attack, dubbed Red October, may be reminiscent of other noteworthy breaches, including Stuxnet and Flame, the campaign is, in essence, a malware-based external breach and espionage platform that siphons data from mobile devices, PCs, and network hardware. Once inside the enterprise, the attackers could scan across the network and exploit vulnerabilities, including those accessible with administrative credentials and/or default passwords.

While the attack is primarily gaining publicity due to its apparently sophisticated and deliberate cyber espionage initiative against government and diplomatic organizations, the virus is another example of the industry’s fascination with custom malware that can be used to bypass the enterprise perimeter and steal sensitive data. In the case of Red October, the attack penetrates the perimeter and gathers intelligence from both traditional attack targets (workstations), as well as other network-connected devices including smartphones, network equipment configuration software and removable disk drives.

What the media—and the industry—continues to overlook, however, is the common pathway between these external attacks and the stolen data. While cyber espionage, malware attacks and proactive perimeter security measures may gain more intrigue, the real issue is that once inside, attackers immediately target privileged accounts to gain widespread access to the rest of the network.

Examining Red October further, it’s clear that this attack is no different than others—including Stuxnet and Flame—that targeted and leveraged privileged accounts. In this case, once inside the networks of their government targets, the Red October perpetrators were able to move around the network as if they were a privileged employee and uncover additional vulnerabilities to exploit by accessing admin credentials retrieved from malware-infected databases and systems. Once these credentials are stolen, attackers can take things to the next level by reusing them in later attacks by guessing similar passwords and network credentials in other locations. This should come as no surprise—although they serve as the gateway to an organization’s most sensitive data, privileged accounts are often protected by weak passwords, which are seldom replaced.

So while news will continue to detail the ramifications of Red October, it is important to note that we have been here before. Saudi Aramco. Subway Restaurants. Global Payments. US Chamber of Commerce. The list goes on, and will continue to go, if organizations continue to fail to recognize the importance of locking down and securing these privileged access points. Ultimately, it is a new approach to security – starting on the inside and working out, but it is an imperative. Rather than focusing on firewalls or perimeter security, organizations need to prioritize the identification, monitoring and management of privileged accounts.

It may be bad news for headline writers, but this approach will block hackers from gaining the true spoils they desire—sensitive corporate and government data accessible only through privileged accounts.

0

Protecting Privileged Accounts can be the Difference Between “Managing” and “Securing” File Transfers

Posted on January 10, 2013 by Oded Valin

In the digital world in which we live, securing file transfers is critically important to personal and corporate security. Every day we send and receive sensitive information with the expectation that the services we use help us keep it secure.

But, as we re-learn constantly, vendors calling themselves ‘secure’ doesn’t always make it so. The latest egregious example is found in a high profile vulnerability discovered in a managed file transfer service used internally by Facebook employees:
http://yro.slashdot.org/story/13/01/08/1949210/serious-password-reset-hole-in-accellion-secure-ftp

In short, the vulnerability allowed an attacker to create a new user account, log in with that new account and change the password of another user, even if that other user had full administrative privileges. After that, a would-be attacker has a clear shot at any of the data in the file transfer application. Ouch!

Unfortunately, that’s what can happen when security is added as an afterthought and is not a core design principal built into the product from the ground up.

Given that Cyber-Ark’s business is all about privileged accounts and securing critical data from advanced attacks, we do know something about this. If you are looking at a truly secure file transfer service that won’t put your critical data at grave risk, here are some things you need to look for.

  1. The process used to create new users should not rely on public, generic URLs, but have a full set of security controls and optional secure workflows in place.
  2. The entire password resent process should work in a secure way:
    • It shouldn’t rely only on a HTTP POST request without asking for the user’s current password or using a unique link.
    • It shouldn’t transfer confidential parameters in a POST request without encrypting it with something stronger than BASE64.
    • The reset function should use a unique link with an expiration period, not a public, generic and insecure link.
    • It should offer the option of adding personal security question challenges to the process.
  3. Session management should be done in a secure way using a unique session ID and unique tokens. It cannot be part of the URL.
  4. Executable code should be obfuscated
  5.  The file repository should be fully encrypted and separated from the web application server in case the web portal is attacked.
  6. Follow the National Institute of Standards and Technology (NIST) guidance and “require your vendor to demonstrate that their software development processes employ state-of-the-practice software and security engineering methods, quality control processes and validation techniques”.

This sounds basic – but it’s part of the due diligence that every business should do to truly understand the level of security that has been built into the product. Just because a vendor claims to offer “secure” file transfer or cloud sharing, doesn’t make it so.

If security really matters to you, (and it should,) your best bet would be to start with a company with a “security first” approach, and the credentials to back it up.

0

Contest Winner: Cyber-Ark’s 3rd Annual #SysAdminDay Twitter Contest

Posted on August 1, 2012 by John Worrall

On behalf of the entire Cyber-Ark team, thank you to all of this year’s participants in our 3rd Annual SysAdmin Appreciation Day Twitter Contest. We are proud to publicly announce this year’s winning entry.

Before we divulge the details, we want to once again let our fantastic judging panel (Matt Simmons, Wesley David and Cole Lavallee) know how much we appreciate their time, consideration and efforts!

As you know, this year we asked participants the following question:

“What skills and experience have you gained in the past year that will most help you in the coming one, and why?”

After deliberation, our judges (Matt SimmonsWesley David and Cole Lavallee) selected the below entrant as this year’s winner!

unpixie#SysAdminDay @CyberArk attend a USENIX/LOPSA conference for face-to-face community bonding, talk to experts, and learn cool sysadmin stuff.

The judges unanimously felt that this participant crafted a response that expressed a commitment to her SysAdmin career through acquisition of valuable skills and experience. Wesley David remarked that @unpixie deserved the top prize because “the single biggest skill that I learned so far is to network and make friends with people in the industry. There’s a skill to getting to know the right people. Not just anyone, but people who have a positive attitude and also know the sysadmin craft in an unusually brilliant manner.”

So congratulations to @unpixie! We’ll be in touch with information regarding your grand prize.

 

 

 

0

Cyber-Ark’s 3rd Annual #SysAdminDay Twitter Contest

Posted on July 23, 2012 by John Worrall

It’s that time of the year again! For the third year in a row, to help show our appreciation and support for system administrators located across the globe, Cyber-Ark will host a Twitter contest to coincide with the 13th annual System Administrator Appreciation Day – which takes place on Friday, July 27th, 2012. Like last year, we will extend the SysAdmin festivities a bit, and provide participants with extra time to participate and spread the positive vibes related to their achievements.

Here are the details:

This year, we’re asking participants to not only reflect on their greatest IT achievement from the past year, but to also anticipate the IT trends that will continue to drive and shape the SysAdmin position for years to come.

Our System Administrator Appreciation Day Twitter Contest question is:

“What skills and experience have you gained in the past year that will most help you in the coming one, and why?”

While it is not a requirement, we encourage respondents to relate their garnered skills and experience to a specific achievement. Even better, feel free to detail an achievement that you think your fellow SysAdmins can relate to and may soon encounter on their own (think: high-profile IT trends)!

This year’s judges include:

Matt Simmons – a prolific SysAdmin blogger and community evangelist
Wesley David – influential SysAdmin blogger and operations manager
Cole Lavallee – SysAdmin at NetApp

This esteemed panel of SysAdmin judges will review all entries and select one (1) winner and two (2) runner-ups based on the quality of the Tweet (the skills mastered/achievement detailed, and the perspective provided in relation to how these skills will be beneficial in the year ahead).

Additional Details

The contest winner will receive an Amazon Kindle Fire and the two runner ups will each receive $50 Amazon gift cards

The contest will begin at 9:00 a.m. ET on Tuesday, July 24th and will conclude at 1:00 p.m. ET on Friday, July 27th. Responses will be monitored throughout the week. The winner will be announced by 1:00 p.m. ET on Friday, July 27th by @cyberark through a series of Tweets and a post on this blog.

To be eligible to win, users need to Tweet a response alongside the #SysAdminDay hashtag and @Cyberark. This is important as it allows other Twitter users and contest participants to follow along. Proper format is as follows: “#SysAdminDay @cyberark RESPONSE”

Since Twitter has a 140 character limit (of course!), brevity is important. However, participants are also encouraged to elaborate on their Tweet by continuing their response by posting a comment under this blog post. This way, participants can provide a more detailed and/or creative response. However, this is not a requirement for eligibility and is only a suggestion.

More details and elgibility requirements are below. We look forward to seeing you on Twitter!

- The Cyber-Ark Team

Limit one Tweet (entry) per participant—any user that creates and/or uses multiple accounts to participate will be deemed ineligible. Re-Tweets from other users are encouraged, however.
To be eligible to win and receive the kindle, participants must be followers of @Cyberark on Twitter. Prize information will be sent via Direct Message.
Cyber-Ark employees are allowed to participate but are ineligible to win the prize.

0

IT Security Rewind: The Continued Rise of Privileged Attacks (our eBook Preview Edition)

Posted on April 23, 2012 by Josh Arrington

As part of this week’s IT Security Rewind, we have decided to take a deeper examination into recent massive data breaches to demonstrate how attackers continue to exploit administrative and privileged accounts to conduct their system-wide damage. We’ll also preview our soon to be released eBook, which covers similar ground through an even more historical examination and discussion of solutions to effectively manage, secure and mitigate the threats associated with privileged credentials.

Data Breaches Gone Wild

First, let’s take a look at some recent attacks that have forced IT insiders and stakeholders to reevaluate their proactive approaches to security and access control:

  • Last December, the U.S. Chamber of Commerce confirmed that compromised administrator accounts led to an attack by Chinese hackers. The breach compromised the information of the Chamber’s 3 million members.
  • In March of this year, a Global Payments breach exposed financial data belonging to 1.5 million uses of Visa and Mastercard. Analyst firm Gartner has claimed the attack resulted from a weak authentication mechanism that enabled access to an administrative account.
  • Most recently, this month, attackers were able to exploit health records stored by the Utah Department of Technology Services by cracking a “weak” default administrative password. Once inside, the servers, and the data housed there, were compromised.

The Privileged Pathway

In all three of these well-publicized cases, hackers were able to bypass perimeter security controls to gain access to target systems through the same poorly protected and wide-open gateway: privileged and administrative accounts. In each case, once inside, attackers leveraged the privileged account to gain access to additional servers, databases and other high-value systems that only a select few people are actually granted permission to access.  The result, as demonstrated by the above, is easy access to millions of sensitive records.

Unfortunately these accounts have emerged as a primary target for hackers because infiltration is possible through rather simple means—an easy-to-crack password, spear-phishing or exploitable zero-day vulnerability.  In the Utah case, it was a weak password that was supposed to protect a very sensitive privileged access point on a server that caused the breach.

 

The Problem with Sharing

The problem that continues to persist is that privileged accounts are often shared with passwords that are rarely changed.  This remains the great paradox in the world of identity and access management and security in general—while attackers are targeting these incredibly sensitive access points, personal passwords to websites such as Facebook have even higher standards of security and strength.

These vulnerabilities are not limited to a specific industry – we see it across the spectrum.  In fact, this is very similar to the weaknesses and vulnerabilities at the Bonneville Power Administration highlighted by the Energy Department.  Auditors uncovered 11 servers configured with weak passwords – including one that hosted an administrative account with a default password.

While troubling, reports of this nature are commonplace and are a contributing reason as to why we continually see massive breaches of this nature in the headlines.

Cyber Attacks and Privilege: Stay Tuned for More

For Cyber-Ark, these trends and developments are startling but not novel. Next week, we’ll be releasing a new eBook—“Don’t Give Cyber Attackers the Privilege–focused specifically on the proliferation of cyber attacks targeting unmanaged privileged accounts. The report outlines a history of this abuse dating back to January 2010 through a compilation of privileged-related attacks. The eBook also outlines the steps required to control these access points through privileged identity management.

0

IT Security Rewind: The Week of March 12

Posted on March 19, 2012 by Josh Arrington

With several major security shows like the U.S. RSA Conference 2012 and Black Hat Europe behind us, and several more in the queue, the industry is tireless when it comes to elevating awareness around the evolving threat landscape.  And it has to be, as it seems hackers never ease up in their relentless pursuit of vulnerabilities to exploit. With that said, let’s take a look at some topics that are generating buzz in IT security. We’ll dub this our IT Security Rewind: March Madness Edition!

No Longer Privileged: Employee turnover is a cost of doing business, but what happens when an employee with privileged user account access (e.g. a sys-admin) leaves the company? Apparently not enough. An IT Director piece examines the propensity of organizations to ineffectively close out the user accounts of inactive sys-admins. Fortunately, proactive removal and monitoring of privileged accounts is a central tenet of effective privileged identity management best practices. Organizations should avoid risks by deploying solutions that grant privileges on an ‘as needed’ basis.

APT? What’s in a name? The pursuance of a precise definition continues to perplex the IT security community and this week CSO took a stab at truly defining the term through an in-depth feature. The article focuses on the basic components of an APT, the normal actors involved, and some common attack vectors. One glaring omission: The piece does not address the privileged escalation angle that is commonly associated with most APTs.

Password: You are the Weakest Link. Goodbye: Joe McKendrick of ZDNet compiled an insightful follow-up post to the results of the Trustwave 2012 Global Security Report which highlights how poor IT password management persists as the largest security concern facing most organizations. The report indicates that “the use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation.” As McKendrick describes, the use of default (and hardcoded) passwords, in particular, creates system-wide vulnerabilities that enable hackers to attack with limited sophistication.

That’s it for this week—what else is making you “mad” about IT security?

0

IT Security Rewind: The RSA Edition

Posted on March 6, 2012 by Josh Arrington

After a jam-packed week in San Francisco, the Cyber-Ark team is home – a little tired but also inspired by our experiences at IT security’s biggest conference of the year – RSA 2012. In addition to the great buzz associated with the launch of our brand new product – Privileged Session Manager version 7 –we decided to use this week’s IT Security Rewind to reflect on the week and provide you our take on major RSA show news and events.

Art Coviello Takes the Hot Seat…

Ahead of his keynote presentation that kicked of RSA, Art Coviello sat down with AllThingsDigital reporter Arik Hesseldahl, to answer seven questions about one of the most highly publicized cyber-security attacks that occurred almost one year ago – the RSA security token hack. While he didn’t reveal anything new about the hack, Art did offer his words of advice, “the bottom line is that we do hope, in the final analysis, that people have more of a sense of urgency in protecting themselves, because the truth of the matter is that we weren’t alone.” This quote set the tone for the RSA show as IT professionals looked back on a year of sophisticated APT’s and examined the future of how we will go about protecting ourselves.

Verizon gives a preview…

In time for RSA, Verizon published a snapshot of data from its upcoming 2012 Data Breach Investigations Report, revealing that more than 85 percent of the data breach incident response cases investigated by Verizon Business last year originated from a hack, and more than 90 percent of them came from the outside rather than via a malicious insider or business partner. However, the preview also found that “the most commonly used venue for breaches was exploiting default or easily guessed passwords, with 29 percent of the cases last year.” RSA and the U.S. Chamber of Commerce are just a few organizations that learned the privileged identity management lesson the hard way.

If you forgot to tune in on Sunday…

Keeping with some core themes from the RSA show…if you’re curious to hear what retired Gen. Mike Hayden, former head of the National Security and Central Intelligence agencies had to say about Stuxnet and similar cyber weapons, 60 Minutes aired a segment on Sunday that shows just how real cyber threats are and how serious government agencies are taking the threat of future attacks. FBI Director Robert Mueller stated, “I do believe that the cyber threat will equal or surpass the threat from counterterrorism in the foreseeable future.” If you missed “Stuxnet: Computer worm opens new era of warfare” you can watch the full segment here.

What were your best RSA moments this year?  Comment below!

0

Cyber-Ark Introduces Version 7 of its Privileged Identity & Privileged Session Management Solutions

Posted on March 5, 2012 by Josh Arrington

Cyber-Ark explains how it is helping enterprises meet today’s advanced security challenges and highlights the new capabilities, offered in its largest release to date, further extending its long standing market leadership. By focusing on continuously protecting the datacenter, learn how Cyber-Ark creates powerful solutions that fight internal and advanced threats and satisfy the growing demands of compliance.

0

IT Security Rewind – Week of February 13, 2012

Posted on February 22, 2012 by Josh Arrington

rewind

This week’s IT security news coverage was shaped largely by the fall-out associated with Nortel’s 10 year data breach, which has now been attributed by some as one of the primary factors impacting the company’s ultimate downfall,  some speculating that competitors were able to gain access to sensitive IP over the course of a decade.  Here are several stories we think offer the best perspectives on the breach.

  • History of a Decade-Long Hack: According to the Wall St. Journal, using seven passwords stolen from top Nortel executives, hackers penetrated Nortel’s computers, repeatedly downloading technical papers, R&D reports, business plans, employee emails and other documents.  From our standpoint, this is another high-profile example of the need to better manage and control privileged access.  With relative ease, it appears the hackers were able to use the passwords to access the network, then, once inside, elevate privileges in order to access sensitive data and information.  From an industry standpoint, Nortel’s ‘inaction’ is inexcusable.
  • Expect Defenses to Fail: So what can we learn from all this? Information Week published a piece that took a first crack at some answers, “8 Lessons From Nortel’s 10-Year Security Breach.”  Some quick take-a-ways?  Expect defenses to fail, conduct a thorough forensic analysis and expect greater accountability.
  • An Empowering Cybersecurity Bill?: In other news, called “critical” in order to avoid our country suffering a “catastrophic attack,” a bipartisan group of senators introduced long-awaited cybersecurity legislation. According to CSO, this is a comprehensive bill that would encourage the sharing of information about threats and attacks between government and industry.  Specifically, the Cybersecurity Act of 2012 would give the Department of Homeland Security power to regulate the kind of company security protections government deems necessary to protect critical infrastructure — such as power and phone companies, water and treatment plants, wireless providers and other companies based on DHS risk assessments.

We’d like to hear your thoughts.  What lessons do you think we can learn from Nortel?  What are your hopes for outcomes from the Cybersecurity Act?

Pages ... 1 2 3 4 5 6