Posted on January 8, 2013 by John Worrall
We’ve often referred to privileged accounts as the “Keys to the Kingdom” given the wide ranging access they provide. But are privileged accounts the “Key” to your car as well? Maybe, if you drive a BMW. Nick Barron posted an article in SC Magazine UK this week demonstrating why this may be the case: BMWs: Gone in 60 keystrokes – SC Magazine UK.
For BMWs new “keyless” cars, there is an administrative function that allows mechanics to service and repair the car. It also provides them access to the information needed to initialize a new key. Seems odd, but so far, it’s not a real problem. Unless, of course, that same function is available to anyone, and not just to your trusted garage mechanic. To make matters worse, the car alarm couldn’t detect the tampering. Car thieves have a clear shot.
This is a perfect example of what commercial and government organizations face with their IT-based resources. Certain “privileged accounts” are built into nearly every IT product to allow authorized administrators to service and repair the systems. Used properly, and by trusted, authorized people, they present no problem. But of course, in malicious or careless hands, these accounts can cause catastrophic damage.
Best practices are emerging around a three-stage approach to managing these potential vulnerabilities. First, protect the credentials to these accounts, so only authorized users can access them. Next, add accountability. Ensure that every time a privileged account is used, you know who the specific user is, what they did with the account and why they did it. Finally, provide real-time intelligence on how these account are being used so that any potential misuse can be addressed immediately, and not after the damage is done.
Using the BMW example for the purpose of illustration, here’s how it might play out if proper privileged account controls are in place. First, access to the administrative function would be limited to authorized personnel only. Every action taken using the account should be recorded, with the owner being able to review exactly what work was done, which mechanic did it and why. And of course, a real-time alert on the car owner’s smart phone telling them that the key was cloned would be very helpful in trying to catch the thief before they drove away with the $60,000 car.
I realize I’m ignoring many realities of cars and mechanics, of which I know very little. But it’s a great way to think about the privileged account problem in our IT infrastructure. Protection. Accountability. Intelligence.
Posted on March 19, 2012 by Josh Arrington
With several major security shows like the U.S. RSA Conference 2012 and Black Hat Europe behind us, and several more in the queue, the industry is tireless when it comes to elevating awareness around the evolving threat landscape. And it has to be, as it seems hackers never ease up in their relentless pursuit of vulnerabilities to exploit. With that said, let’s take a look at some topics that are generating buzz in IT security. We’ll dub this our IT Security Rewind: March Madness Edition!
No Longer Privileged: Employee turnover is a cost of doing business, but what happens when an employee with privileged user account access (e.g. a sys-admin) leaves the company? Apparently not enough. An IT Director piece examines the propensity of organizations to ineffectively close out the user accounts of inactive sys-admins. Fortunately, proactive removal and monitoring of privileged accounts is a central tenet of effective privileged identity management best practices. Organizations should avoid risks by deploying solutions that grant privileges on an ‘as needed’ basis.
APT? What’s in a name? The pursuance of a precise definition continues to perplex the IT security community and this week CSO took a stab at truly defining the term through an in-depth feature. The article focuses on the basic components of an APT, the normal actors involved, and some common attack vectors. One glaring omission: The piece does not address the privileged escalation angle that is commonly associated with most APTs.
Password: You are the Weakest Link. Goodbye: Joe McKendrick of ZDNet compiled an insightful follow-up post to the results of the Trustwave 2012 Global Security Report which highlights how poor IT password management persists as the largest security concern facing most organizations. The report indicates that “the use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation.” As McKendrick describes, the use of default (and hardcoded) passwords, in particular, creates system-wide vulnerabilities that enable hackers to attack with limited sophistication.
That’s it for this week—what else is making you “mad” about IT security?
Posted on October 25, 2011 by Adam Bosnian
Despite spending nearly $1 billion a year defending itself against constant cyber attacks, news broke late last week in an exclusive report from Reuters that “the hackers who infiltrated the Nasdaq’s computer systems last year installed malicious software that allowed them to spy on the directors of publicly held companies.”
According the story, the Nasdaq case, reportedly similar to the attack against RSA earlier this year, is an example of a “blended attack,” where elite hackers infiltrate one target to facilitate access to another. Nasdaq has said that hackers attacked a Web-based software program called Directors Desk, used by corporate boards to share documents and communicate with executives, among other things. By infecting Directors Desk, the hackers were able to access confidential documents and the communications of board directors.
As Jaikumar Vijayan emphasized in his recent article for Computerworld, “Despite Stuxnet, Duqu, control system flaws still overlooked,” most efforts to fix infrastructure threats are wrongly focused. It seems Nasdaq learned the hard way that throwing a large budget at a security issue to build up perimeter walls won’t fix an issue that’s already inside. ”God knows exactly what they have done. The long term impact of such attack is still unknown,” Tom Kellermann, a well-known cyber security expert, told Reuters of the attack.
Cyber-Ark believes that regardless of the attack vector, there must be heightened emphasis on the importance of proactively locking down and isolating sensitive information, and maybe even more critically, the servers, systems and applications where this confidential information resides or is transmitted to or from. Post-fact reaction by its very nature means that the vulnerability has already been leveraged. Only truly proactive, preventative approaches can help organizations guard themselves from these types of ongoing and often persistent attacks.
Additionally, it’s important to examine the concept of enforcing the rule of least privilege for end-users and security administrators – the idea being to provide only that amount of privilege necessary for a given activity. What’s often overlooked is how these accounts can be tampered with to provide unwanted ‘escalation of privileges’ to aid in persistent attacks – as it appears what happened in the Nasdaq case.
In the RSA case, recommendations to customers included enforcing strong password and PIN policies, and watching closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes. Could these steps have helped Nasdaq? It will be interesting to learn more as this story continues to unfold.
Posted on September 23, 2011 by Josh Arrington
It was another interesting week for IT security professionals, with numerous developments, breaking stories and breaches to follow. But before we dig in to this week’s Rewind—we wanted to wish a warm farewell to Dave Kearns, who wrote one of final pieces for the penultimate edition of the Network World Identity Management newsletter. We wish Dave well with his analyst role at Kuppinger-Cole—where he’ll continue to provide us with keen security insights!
APT: In Review – It’s never easy to put together a “lessons learned” type of piece when it involves a sensitive and well-documented security attack, but Pacific Northwest National Laboratory CIO Jerry Johnson did a great job at the recent InformationWeek 500 conference. Johnson developed a presentation that described the APT attack against his company with such details as “when the intruders tried to recreate and elevate account privileges, this action triggered an alarm, alerting the lab’s cybersecurity team…” It’s information like this that can help all security professionals better prepare themselves and anticipate vulnerabilities.
Is “SIEM dead as claimed?”—To no surprise, questions like these usually provoke responses of all types. As Computerworld reported, a recent survey “conducted with senior security professionals at Global 5000 and federal organizations” found that “SIEM has joined signature-based technologies on the ash heap of IT history.” However, advocates for SIEM, like Dr. Anton Chuvakin of Gartner disagree—stating that while SIEM is not a tool that should be used primarily to prevent attacks, it’s still an important monitoring technology.
Access Rules –InfoSecurity provided more background on the $2.3 billion UBS fraud case this week. While details are still swirling, it’s clear that this is another example of a trader acting beyond authorization in a highly regulated market. While the article delves deeper, calling for tighter monitoring and controls, the question remains: If access and risk management controls and processes were in place, how were the traders able to circumvent them?
Anything we missed? What stories have you been following? Let us know!
Posted on September 1, 2011 by Roy Adar
By Roy Adar, Vice President of Product Management, Cyber-Ark Software
Consider these keyboard combinations: *1234, 123, 369, abc123, abcd1234, admin, admin123, letmein, pass, password, test and user.
Not exactly what you’d call strong administrative passwords, but they are some of the combinations the Morto A worm carries in its brute-force library to attack target machines. According to an article in NetworkWorld, the Morto A worm continues to spread “despite its reliance on a list of lame passwords to take over victim machines.” Those machines, and all the information on them, are now vulnerable and at the mercy of the virus to delete, corrupt or quietly steal.
We believe that with a few tweaks, this simple brute-force approach can quickly resurface in more targeted attacks. Of course the most obvious response to better protecting organizations against this sort of attack is to limit reliance on “human selected passwords,” particularly related to passwords for privileged accounts. Ideally, fully random, long passwords can take years to brute-force or may never be cracked. And, when you consider an organization with thousands of sensitive servers, applications and systems, and hundreds of privileged accounts, automating the generation and management of strong passwords becomes all that more important to making the organization resistant to brute-force attacks.
This attack reminds me of the SQLsnake worm (aka SQLspida) that in 2001-2002 “brute-forced” its way into SQL Servers that had a blank “sa” password (the previous default password). It was extremely successful in spreading across tens of thousands of SQL Server databases where the default privileged password for “sa” was never changed from manufacturer defaults. While the SQLsnake only tried a single password, the Morto A tries 37 password values. How long before we see viruses that take this to the next level by using internal random generators to try larger scale brute-force attacks? It may not be long given that the virus does not need to contain a hard-to-disguise dictionary and can leverage the local Microsoft Word dictionary files, for example.
So, improving privileged password management isn’t just a good idea and a security best practice, it’s a business necessity. Consider the number of cyber attacks in the past year that used a common pathway for entering an organization, via privileged accounts. While the initial infiltration can use common and rather hard to prevent techniques such as phishing or social engineering, once inside, hackers can fairly easily take advantage of the lack of proper privilege controls. If hackers can easily brute-force your privileged passwords there is nothing to stop them from jumping from desktop, to applications, to your network core.
It’s been said before, but we subscribe to the notion that organizations need to assume that hackers have already breached the perimeter. Therefore a proactive approach to implementing internal controls and protecting privileged accounts is a critical building block in your defense strategy.
What are your organization’s best practices for privileged password management?
Posted on June 17, 2011 by Josh Arrington
Details of another data breach have hit the UK newswires today, with reports revealing that the National Health Service (NHS) has lost 20 laptops containing sensitive information from one of its store rooms. Whilst eight laptops have been recovered, it has been disclosed that one of the 12 remaining missing laptops containing some 8.6 million medical records, reportedly unencrypted.
We have quite clearly moved on from the time when data could be effectively safeguarded by placing it under lock and key. It is therefore all the more concerning that such a large institution is still relying on such archaic methods to defend its data.
Organisations who want to truly safeguard their users and their information need to deploy proven tools which manage and protect sensitive data. That way, even if a device should go missing, it needn’t make the headlines.
Posted on May 31, 2011 by Josh Arrington
What at deal–Free backdoors with every product! Bank of America is stung by an insider! Plus, cyber crime hits the small screen. These are just a few of the headlines we’re focused on for this week’s IT Security Rewind. Let’s dig into the details:
Wireless router, backdoor included: ThreatPost covers an “oops” by Allied Telesis, a Japan-based maker of switches, routers and other networking devices that posted an alleged internal customer support document online that was written to answer questions like “‘How do I obtain a backdoor password for my Allied Telesis device?’” and includes instructions on accessing a “built in Backdoor function” on any Allied Telesis device. Why is this a big deal? ThreatPost says it best: Backdoor administrative accounts and functions are a dirty secret of the hardware industry. Based on the headlines we’ve seen, this dirty little secret is hacker’s pay dirt.
Cost of a data breach = $10 million: IDG News Service has been tracking the Bank of America breach that was first reported by the Los Angeles Times this week. According to reports, a Bank of America insider who sold customer data to criminals cost the bank at least $10 million (US) in losses. While only minimal details of the breach are being released by law enforcement at this time, the efforts to leverage customers’ personal information has been successful in many cases, with one victim reporting that his checking accounts had been rapidly drained of more than $20,000.
Cybercrime – the movie: Got some down time this weekend? Hopefully you had your DVR set for CNBC’s documentary “Code Wars: America’s Cyber Threat,” which originally aired on May 26. The show investigated the prevalence of global cyber threats, with the correspondent Melissa Lee conducting multiple interviews including traveling to profile the leader of a group of Chinese hackers and visit Estonia, a nation whose banking system was taken down for days by hackers. The New York Daily News says, “”Code Wars” aims to scare us about bad guys with computers the same way “Jaws” aimed to scare us about large angry fish.” Missed it? The program will run again on Sunday, May 29 at 10 p.m. ET.
What other security headlines do you think are worth highlighting?
Posted on May 6, 2011 by Josh Arrington
Today marks the launch of our “IT Security Rewind” blog series, with our take on some of the week’s most significant and newsworthy industry stories. Our inaugural post highlights recent breaches and examines highly-exploitable vulnerabilities in common software and systems. Let’s take a look at this week’s Rewind:
- Above the law? When it comes to maintaining order and preserving safety, police officers are typically considered a first line of defense. Unfortunately, that doesn’t necessarily mean that their crime prevention technology is impregnable to hackers. As one security consultant proved, it is possible to exploit vulnerabilities in their equipment, specifically a police cruiser’s digital video recorder system. The consultant was able to exploit the hardcoded, default password in the system’s FTP server to gain access to the DVR’s controls and manipulate its use. Just another example in a long line of recent breaches that illuminate the vulnerabilities present in a large number of seemingly innocuous targets (think: digital copiers and scanners, video conferencing systems, and well, police cruiser cameras).
- Don’t ignore ERP: Along those same lines, enterprises beware: According to Dark Reading, another one of those often-ignored network targets susceptible to attack may be your company’s ERP system. According to the report, these systems are often ignored and left vulnerable by unauthenticated attackers that can leverage embedded credentials, like hardcoded passwords, to enter a system and steal sensitive information.
- Passwords at risk [again]: Speaking of lines of defense—how upset would you be if you proactively used a secure password storage service, but then discovered that all of that critical information may be compromised? One of those services, LastPass, is urging their users to change their network passwords after detecting a network anomaly.
No matter where or how data is stored these days, one thing is clear—you need to stay on guard.
That’s this week’s IT Security Rewind! What was your take on the news?
Posted on March 22, 2011 by Adam Bosnian
As the security industry continues to look for answers and insight to RSA’s recent data breach, we found the security best practices suggested to SecurCare customers valuable for nearly every organization that shares, stores or provides access to sensitive data. We need to wait and see what emerges from this latest attack to see what vector was used – but we support and re-emphasize the response by RSA to its customers as it provides some valuable, current and real-world lessons every organization needs to follow.
Following are several that are particularly relevant to our customers and partners, including:
• We recommend customers enforce strong password and pin policies.
• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
Let’s dive into the concept of enforcing the rule of least privilege for end-users and security administrators– the idea being to provide only that amount of privilege necessary for a given activity. When applied to privileged accounts, those used by administrators or applications to access and manage key systems, applications and databases, it becomes a bit harder to do, since these powerful accounts often provide full, unfettered access to enterprise systems and applications.
However, what’s often overlooked is how these accounts can provide unwanted ‘escalation of privileges’ for Advanced Persistent Threat (APT) attacks. These access points, often in the form of embedded or hardcoded passwords, exist in almost every networked system, application or database. We saw this recently with the Stuxnet virus – entering in through an embedded credential in a SCADA system, as well as in the Operation Aurora attacks on several companies’ source code management systems.
While malicious outsiders and insiders have focused often on the administrative credentials on typical systems like servers, databases and the like, in reality, IT organizations need to identify every asset that has a microprocessor, memory or an application/process. From copiers to scanners, these devices all have similar embedded credentials that represent significant organizational vulnerabilities.
At the end of the day, the use of privileged access to exploit vulnerabilities such as hardcoded passwords is a very real threat that provides malicious hackers with new ways into the enterprise. It’s not just about ensuring that your system administrators are equipped with least privileged access, it’s something that every company—security vendors and enterprises alike—needs to recognize and proactively guard against.
What are some of your favorite security best practices, particularly related to managing, monitoring and controlling privileged access?
Posted on February 23, 2011 by Josh Arrington
The Information Commissioner’s Office (ICO) has found Cambridgeshire County Council in breach of the Data Protection Act, after the council lost an unencrypted memory stick, contrary to policy, containing sensitive data relating to vulnerable adults.
What’s interesting, and in many ways particularly disappointing, in this story is that the council had only just undertaken an internal campaign promoting its encryption policy. The fact that so soon after this a member of staff was willing to completely ignore the policy really indicates just how far organisations still have to come in educating workers on the importance of information security.
On top of this, it’s fair to say that using USB drives for such important information at all should be out of date. Technology has sufficiently advanced that companies should be looking beyond such devices – which have proven far too often to be vulnerable in nature.
What organisations must look for is a secure file transfer solution that removes sensitive information from such devices and keeps them stored centrally and securely. This would go a long way to mitigating the risk of losing data when mobile devices inevitably do go missing.
- Excessive Admins and Privileged Security – Part II
- Excessive Admins and Privileged Security – Part I
- Grossly Underestimating the Privileged Account Security Problem Part 3: Automating Privileged Account Management and Cyber-Ark DNA™ (Discovery & Audit)
- Google’s Insecurities
- Grossly Underestimating the Privileged Account Security Problem Part 2: Defining Privilege with Cyber-Ark CMO, John Worrall
“The Compromise of Privileged Accounts was a Crucial Factor in 100% of APTs”: CyberSheath Releases the First APT/Privileged Account Research Report
Posted on April 24, 2013
Posted on April 1, 2013
Protecting Privileged Accounts can be the Difference Between “Managing” and “Securing” File Transfers
Posted on January 10, 2013
Copyright 2013 Cyber-Ark Software - All Rights Reserved