Roy Adar, Vice President of Product Management, Cyber-Ark
April 17, 2012 16:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Roy Adar, Vice President of Product Management, Cyber-Ark
April 17, 2012 16:30
Roy Adar, Vice President of Product Management, Cyber-Ark
April 17, 2012 16:30
Welcome back. Very pleased to reintroduce you to Ray Adar from cyber a where he is vice president of product management. I'm doing this slowly. So we might get one or two more people to come in, but they've stopped coming, but we should continue. Never let the people go on breaks.
That's a, that's A first, don't worry. We're not doing that for the next three hours. They're locked in. Good. And his subject is ripped from the headlines, the privilege connection solved, which is a puer of a title. And you have 20 minutes. Thank you very much, sir. Clicker is this one? Yeah. Thank you. So good afternoon. Thank you for coming back. Very from the break, I have to say to, to the ones who, who came back from the break, my name is Royal Dar. It was introduced vice president of product management for cyber a software.
Now, you know, it's not gonna be a surprise. The next sentence will not be a surprise to anyone, but of course, identity and security are very, you know, tightly connected. But one of the things is that to really have, you know, security in place and to have security controls, you need to make sure that, you know, or you can check and validate the identities of the people in your system. Now that's everyone is saying, okay, what's, what's new and that's not a very new new sentence, but we'll see how this relates to, to our topic of, of today.
And today we're gonna talk about privileged accounts will explain what they are. We'll talk about why it's such a challenge to manage privilege accounts. We'll talk from the headlines, ripped from the headlines, how privilege accounts have been used in exploit. In the last few years, we will share some of the predictions of how the threat landscape make change over time. And we'll also try to give recommendations on how privilege accounts can be managed in order to help secure environment. And we'll try to do all of that in 20 minutes.
So privilege accounts, When we talk of privilege accounts, we're talking of, of accounts such as the administrator accounts on the windows, the root accounts on the UN accounts that are generic or shared, there are shared between between a team by definition, the privileged accounts have unlimited access. They're mainly used for management and administra administration purposes. So they have, they're very powerful. They can access everything. And as the name suggests, they're not tied to a particular individual, they are used by a team they are shared around.
And if you, you know, think from the identity management point of view in identity management, that that's a, that's a big challenge because it's very difficult to know who is the user that has used a privileged account, or why who is using a privileged account? Is it a, is it Roy? Is it Mike? Is it an attacker?
Okay, who's using that privilege account. You don't have that, that accountability.
Now, if the number of privilege accounts in an organization was, was small or manageable, then that would've, you know, you would've found ways to, to deal with it. But unfortunately the reality is that the number of privileged accounts is often much larger than the number of users in the organization. In a lot of the companies we work with, the number of privileged accounts is something like two to five times. The number of users is kind of a rule of thumb. So there are a lot of them which makes it, makes it a challenge. So let's talk about where privileged account exist. Okay.
Some perhaps the obvious example, the shared administrative accounts. So it's, you know, that administrator of the windows that, that that's easy, the root of the unique system and the Linux system. Okay.
You know, most people know, know that as well. Every database has a built in privileged accounts. Oracle has system and CS SQL server has SA Cisco routers, okay. Configuring routers. There's a built in privileged accounts, enable firewalls have privileged accounts, every device, every appliance, every system, every application in your infrastructure that needs to be administered, okay. That needs sometimes someone to administer them would have a privileged account as part of that device.
So the, these are of course, high numbers. Now, again, some of you may know that, but, but a lot of people are not as familiar. There's a lot of what we call application to application privilege accounts. So when you have an application, for example, that needs to connect to a database in order to function, the developers need to provide that application with username and password to connect to the database.
Now it's, it's very common for the developers to, you know, either hard code the username and password into the script or the application, or put it in, in some configuration file that the application can access. But this is a very powerful, privileged accounts that exist in all applications and scripts that need to interact with either other servers or other applications. The other type more, more recent is of course the cloud shared accounts or the social accounts. So just as an example, the corporate Facebook account corporate Twitter account.
And if you're, you know, in the, in parts of the marketing organization or even a finance application, there are a lot of finance services available as subscription where the user that is being used by, by the, the business users is some sort of shared account. Now, specifically cloud and social accounts are often not used by it. They're used by the business users, which also has implications on, on some of the, of the controls around them. So all these shared accounts exist, the numbers are, are, are really large. And of course the potential or the power of these accounts is really clear.
And as we said, it's, it's a bit hard to track. So what do you do? How do you know who's using these accounts and where do you, where do you look, where do you look for, who can use these accounts? And what do I do about it?
So the, you know, the obvious place to look is, you know, that the it team, my internal it team, the administrators, they're the one who need to use privilege accounts on day to day, you order to administer the system. And they're in my office. I know them. I trust them. They're good people, you know, they they're, my, my colleagues, this is great. But if you, you know, stop to think, okay, are they the only ones that are using privileged accounts in my organization?
Then, then you say, you know what, but wait a second. I also have contractors that come just for a few weeks and I have offshore developers that I hired for a specific project and, and they develop code for me. So they know the username and password for the, for the production application.
And yeah, I have some system integrators that also kind of, you know, come and go and also need to use privileged accounts for, for legitimate use.
So the number of, you know, the number of people that are using those privileged accounts and are exposed to them, becomes, you know, quite significant and, and kind of exceeds the people that you see and, and know for years, of course, with, you know, modern hosting and cloud service providers, some of your information is not even, you know, you don't even know who's managing them, they're being managed by hosting providers or, or, or other cloud hosting providers and their it team is also able to access your privileged accounts.
So basically, you know, in the, in that world is we call it the, you know, the outsiders becoming the insider. You know, a lot of people are kind of fall under the, the realm of insiders.
They, they do legitimate work, you know, using privilege accounts. But a lot of them, I don't even know, you know, I don't know them. I don't see them. I don't know who they are. I should still, you know, like to control and know what's going now. Assert if you follow them, the computer emergency response team out of car Carnegie Mellon, do a lot of research on insider threats. And that's of course, you know, a topic most people heard insider threat. So in their survey, they, you know, found something like 45% of companies have reported that they had an insider threat incident.
The interesting thing is that the majority of those organizations, sorry, the majority of those insiders had, you know, technical or technical support positions. And 90% of them were accessing and able to access privilege accounts. Okay. Had the keys to, to, to doing it was easier for them to do whatever they did that was wrong.
There are several examples, you know, from the headlines that I'm sure most of you have seen the McDonald hacker, which is, has nothing to do with McDonald, except that, that was the place that the individual chose to, to take his laptop and, and kind of use the free wireless at a McDonald. But basically it was a fired employee, you know, a fired insider and his account, you know, was perhaps terminated, but he still knew the password of shared accounts and the privilege accounts. So he was able to use that to connect to the VMware server and do damage using that shared account.
You may have heard of the other employee that was let go of Gucci and had similar, you know, similar scenario was, was able to obtain access to the network remotely. Okay.
Again, doesn't need his personal account. He can just use the shared accounts, the privilege accounts that he knows from working in the company and was able to just come in and do sabotage, okay. Just simple examples. Now those are the insiders. Now what about external attackers, external attackers?
And we will talk in detail on some of the more known security breaches of the last few years, but when aggregating a lot of the, a lot of the security incidents of recent years, you, you find that use of privilege accounts as a step in the attack has been almost in all cases and 85%, sorry, 80% of incidents were due to weak administrative credentials, weak credential means, you know, I don't need to, to work in the organization and, and be, and, and someone tells me the password, it's an easy password. So I can, you know, it's easy for me to, to crack it or obtain it.
And I can, you know, and I can exploit that 15% are, you know, default, hidden administrative accounts. Many people are not always familiar that, you know, their storage device has kind of a built in administrator account that only kind of the manufacturer and a lot of people who, who know internals aware exist, you know, there was also a famous incident with, with the EMC storage. The so HP storage that had, that had a such account at place.
So, you know, Rick from the headline, we'll take just some examples. We want go into the details. RSA attack will, will talk a bit more about that. The objective of the attacker get to privileged accounts. The Pacific Northwest national laboratory, again, hackers came in. One of the steps is obtain a privilege account so they can continue snooping around looking for the sensitive information that they were looking to steal Sony attack, very famous of course, attack from a year ago.
Again, the objective was to find a way in reach or gain access to privilege accounts in order to continue the attack. So when you look at that and you look at the, at the steps of an attack, and we'll review an example in a second, getting access to privilege accounts and obtaining privilege accounts is really a critical step in the attackers path. Okay. And that's something that we, you know, we need to look at and, and be a word, sorry, format. Okay.
So let's say that relating to the conversation of before with, you know, privacy information and how that impacts the security, let's say, I want to, you know, perpetrate an attack against a certain bank again, just for the sake of an example. So it's, it's not as hard today as it was few years ago today with, you know, with the good help of, of LinkedIn, I can log into LinkedIn, you know, do advanced search, advanced people search, look for, you know, look for all the employees of this given bank. But I want, you know, I want people that will allow me to get access to privilege accounts.
So I want, you know, it people or database administrator. So I search, you know, show me all the, it, all the people that have, you know, a title that has, you know, database administrator system administrator within that bank, I'm gonna get a list of names. Okay.
Now, from that, from those names, it's very easy to create an email list. I will find the format of how this bank has the, you know, email structure, first name, last name, last name, first name, you know, I'll figure it out. It's not that hard. And I'll have, you know, a list of candidates to go after now.
I create, you know, a special email for them now, you know, now, now it's the hacker part, right? I, I have a targeted, targeted malware. I send them, you know, an email. I will make it interesting to their line of work because I mean, I know what they do so I can, you know, try to make it an exciting email for them. So at least one of them will, will click it. And you know, one of them will, and I will be patient and persistent and see that this administrator uses privilege accounts.
You know, I can from keyboard, for example, I can pick the privilege passwords that they, that they type and, you know, continue the process. Now that's a, you theoretical exercise, but apparently that's very similar to what happened with, with a lot of the famous breaches. If you look for example, at the RSA breach, it started very similarly, but from the finance department department, the attackers went after the finance people and, you know, sent a poisoned Excel file with the zero day exploit. And one person opened the link.
Now the attacker is in, okay, they are, they establish, you know, the commanded control on their desktop. I'm going fast bit because of the time, but I'll be happy to elaborate later if you want, they establish their present.
They start exploring around, see what asset, what privilege account exists, use the privilege accounts, you know, aggregate data and kind of sneak it outside of the organization using, you know, using kind of the masking it as, as traffic going out, very similar concept, even easier technically is an attack that was public on the Canadian government, where it was where the attacker actually sent an email to employees of executives. And in the pretend proposedly on behalf of the executive. So like the it manager sent you an email, okay.
He wasn't, the it manager was just pretending to be the it manager saying, Hey, I need the, the passwords for these sensitive servers. You know, please send me the passwords. So the employees got that email said, okay, you need the password.
I'll, you know, I send them the password and that's it. The attacker now got access to those privilege accounts and, you know, no, no one knows it, no one, you know, nothing, nothing, nothing triggers any alerts. And of course that led to one good that led obviously to the compromise of data. Okay. So we won't leave you without, what do we do? Okay. And when I think we'll be able to do that in one minute. So first of all, you know, recognize that, recognize that.
And one of the first things is when there is attack that has sequences and one of the sequences means I need to get access to privileged accounts. If your job is to prevent that attack, you can stop it anywhere. Okay. It's a chain of things that happen that the attacker tries to do. You only need to stop them once. Okay. It's not easy, it's hard, but that's what you need to do. You need to stop the tax sequence. And if a lot of, or the majority of a tax sequence go through trying to obtain privilege accounts, then you can try to stop that. Okay.
So for example, if your privileged accounts cannot easily be bruteforce because they are automatically changed because they are, you know, changed randomly by, by a machine, making them very hard to bruteforce, then they're, it's gonna be hard to obtain them. They also need to be stored in a secure location and not, you know, in an Excel file or something where, where they can be visible.
Finally, even if you assume, and that's a lot of people assume that that desktops in the organization or some employee in the organization was less careful or was, or was tricked in a, in a smarter social engineering and has, has been infected by malware. It's not the end game. You can still do something which is called secure session monitoring, which helps isolate privileged session from the desktop. So the privileged session are not launched from a desktop where someone needs to key in username and password that can be obtained by the malware.
You can have things like privileged, single sign on and privileged session monitoring that helps isolate that sensitive information of how to obtain privilege accounts from the malware. So the malware is blindfolded. And with that, we finish. So what we have covered today, privileged accounts proven to be the target on both internal and external attacks.
It's something we strongly recommend as you build your security infrastructure, that you also consider privilege accounts, managing them, controlling them, monitoring them as a real fundamental piece, fundamental building block of your security infrastructure. And of course, make sure you have security in mind in the solutions and, and tools that you use. We'll be happy to continue the conversation in our, in our booth outside. And I dunno if I have time questions, not questions later. Thank you.