© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
07/04/2016
Denis Valter Cassinerio
Security BU Director
& Sales North Director
®
Gestione e Controllo
degli Accessi Privilegiati
Quali le Best Practice?
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Le fonti d’attacco
Hacktivist Collaboratori
diretti
Associazioni criminali
Ex
lavoratori
Provider di
servizio IT
Competitor
Interne Esterne
Lavoratori
attuali
Campione : 124 rispondenti
Survey Osservatori Politecnico
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
ATTACK SURFACE
3
© Hitachi Systems CBT S.p.A. 2015. All rights reserved. 4
Reconnaissance Weaponization Delivery Backdoor Lateral Movement Data Collection Exfiltrate
Intrusion kill Chain
Research,
identification and
selection of
targets, often
represented as
crawling internet
websites such
as conference
proceeedings
and mailing lists
for email
adresses, social
relationships, or
information on
specific
technologies
Coupling a
remote access
trojan with an
exploit into a
deliverable
payload,
typically by
means of an
automated tool.
Increasingly,
client application
data file such as
Adove PDF or
Ms Office Docs
serve as the
weaponized
deliverable.
Transmission of
the weapon to
the targeted
environment
using vectors
like email
attachments,
websites, and
USB removable
media
After the
weapon is
delivered to
victim host,
exploitation
triggers
intruders’ code.
Most often,
exploitation
tergets an
application or
operating
system
vulnerability
Installation of a
remote access
trojan or
backdoor on the
victim system
allows the
adversary to
mantain
persistance
inside the
environment
And esclate
privileges
Tipically,
compromised
hosts must
beacon
outbound to an
internet
controller server
to establish a
C&C channel
Only now, after
progressing
through the first
six phases, can
intruders take
actions to
achieve their
original
objectives.
Typically this
objective is data
exfiltration which
involves
collecting,
encrypting and
extracting
information from
the victim
environment
DETECT DENY DISRUPT DEGRADE DECEIVE DESTROY
CAMPAIGN ANALYSIS – TOOLS, TECHNIQUES AND PROCEDURES
LEVERAGE; DISCOVER; ANALYZE ATOMIC, COMPUTED AND BEHAVIOR INDICATORS
Understand a CYBER ATTACK
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
PRIVILEGED ACCOUNT - Definition
5
What is a Privileged Account?
Privileged accounts are valid credentials used to gain access to systems. The difference is that they also provide elevated, non-restrictive access to the underlying
platform that non-privileged user accounts don’t have access too.
These accounts are designed to be used by sysadmins to deploy and manage IT technology, like operating systems, network devices, applications and more.
They are the proverbial keys to the infrastructure – which is why attackers or malicious insiders seek to steal them.
They basically provide access to just about everything. We use the term ‘privileged account’ interchangeably, but here are the most
common privileged accounts found across an environment:
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
PRIVILEGED ACCOUNTS – Who & What
6
1 - Local Administrative Accounts: These non-personal accounts provide administrative access to the local host.
2- Privileged User Accounts These are credentials that give administrative
privileges on one or more systems.
3 - Domain Administrative Accounts These accounts give privileged administrative access across all workstations and servers within a Windows domain.
5 - Service Accounts These can be privileged local or domain accounts that are used by an application or service to interact with the operating system
4 - Emergency Accounts These provide unprivileged users with administrative access to secure systems in the
case of an emergency
6 – Application Accounts These are accounts used by applications to access databases, run batch jobs or scripts, or provide access to other applications.
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
USER with ADMIN RIGHTS can …
7
Change System Configurations
Install & start services Stop existing Services (such as the firewall)
Disable / Unisnstall anti-virus Cause code to run once logs on that systems
Render the machine unbootable Replace OS and other prog files with Trojans
Install Malware
Kernel- mode root kits
System Level Key Loggers
Malicious ActiveX controls
Spyware / Adware
Malware to facilitate pass-the-hash
exploits
Access and Change Accounts
Create and Modify User Accounts
Reset local passwords
Access Data belonging to other users
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
IDENTITY «Matters» …IAM vs PAM
8
Rrenm Perinmeter Layer
Remote Employees
Consumers
Users from
others Orgs
Extended Perimeter
Perimeter Layer
Control Layer
Identity & Access
Management
Policy
Management
Integrated
Directory
Environment
Security
Management
Departmental
Environmemt Resource Layer
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
ACCESS MANAGEMENT : The Reality
9
END USERS
ADMINISTRATORS
AUDIT/COMPLIANCE
Too many IDs
Too many end-user requests
Difficult or unreliable ways
to syncs all the accounts
Orphaned accounts
Limited or no audit capability
Where are the audit trails?
Too many IDs
Too many passwords
Must way for access to
applications
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
BALANCE between SECURITY & OPERATIONS
10
PC Uncontrolled Granular admin Rights Mgmt PC Completely
Locked Down
Unstable PC Costly level
2/3 Support
Open gate to intruders
High Frequency of Installation Requests
And admin actions to end users
productivity
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
GET FOCUSED ON «PAM»
11
PRIVILEGED ACCOUNT MANAGEMENT
Protect what matter even with Insider Threats
Ensure Compliance
Improving IT Reliability and Reduce Costs
Enable Secure Path to Applications and Cloud
Don’t Analyze everything
Analyze the «Right Thing»
MAP Normal Behaviour
Impeding Lateral Movements
Identifiy Breach
Avoid Data Breach
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
PAM SECURITY DRIVERS
COMPLIANCE
Common Standards L.196, L.231, ISO 27001, HIPAA, SOX, PCI DSS…
New Challenges
• DATA PROTECTION OFFICER
• AVOID DATA BREACH
• DETECT & ALERT
• FORENSICS
Compliance + Controls
Identify + Processes
Proactive
Investigate
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
IT SECURITY DRIVERS
COMPLIANCE
Direttiva 263 / 285
• Conservare e gestire centralmente le utenze privilegiate presenti sui sistemi e sulle
applicazioni
• Eliminare la conoscenza delle utente privilegiate impersonali da parte dei sistemisti
e gestori delle applicazioni
• Garantire l’accesso e l’uso delle credenziali solo quando necessario sulla base di
criteri di autorizzazione, segregazione, minimo privilegio
• Far eseguire in modalità controllata comandi di intere sessioni agli utenti.
• Separare il provisioning dalla utenze (IAM) dal controllo del loro utilizzo
• Controllare l’utilizzo delle credenziali privilegiate da parte del personale (interno o
fornitori) e le azioni eseguite attraverso log, registrazioni video e report
• Conservare i log in repository cifrati e inalterati
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
BEST PRACTICES – Based on Level of Maturity
14
Inventory & Reduce Number of Privileged Accounts
Prohibit standard User Accounts from having privileged access
Create a Process for on and off boarding employees that have Privileged
Account Access
Eliminate the Practice of Accounts that have non expiring passwords
Store Password Securely
Automatically change privileged account passwords on a 30 or 60 day cycle.
Utilize one-time passwords, which are passwords that are valid for only one login
session or transaction.
Implement session recording for key assets, servers and third party access.
Eliminate the option of interactive (human) login for service accounts.
Implement a process to change hard-coded or embedded passwords for scripts
and service accounts.
Implement focused auditing on the use of administrative privileged functions
and monitor for anomalous behavior.
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
BEST PRACTICES – Based on Level of Maturity
15
Use automated tools to disable inactive privileged accounts
Use multifactor authentication for all administrative access, including domain
administrative access
Implement automated password verification and reconciliation to ensure that the
passwords of record are current on all systems.
Regularly change and verify hardcoded passwords embedded in applications.
Deploy a solution that provides the ability to directly connect to a target system without
displaying the password to the user.
Implement a gateway to eliminate privileged users directly accessing sensitive assets
in the IT infrastructure
Implement a request workflow for credential access approval including dual-controls and
integration with helpdesk ticketing systems.
Implement session recording for all privileged access.
Proactively detect malicious behavior.
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
BEST PRACTICES – Based on Level of Maturity
16
Ensure, to the best of the organization’s ability, all actions using
shared administrative accounts can be attributed to a specific
individual.
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
WHERE TO START FROM
17
• Discover where your
privileged accounts
exist
• Clearly assess
privileged account
security risks
• Identify all privileged
passwords, SSH keys,
and password hashes
• Collect reliable and
comprehensive audit
information
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
CYBER THREATS JUST AHEAD
18
TOP 3 CYBER THREATS
Facing organisation in 2016
52% Social Engineering 40% Insider Threats 39% Advanced Persistent
Threats
Source: ISACA’S Jan2016 CYBERSECURITY, SNAPSHOT, GLOBAL DATA
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
SECURITY BU – The Right «Partner»
SOLUTIONS
SERVICES
CONSULTING
GOVERNANCE
Compliance
Professional
Services
Technology
Cyber Security
Managed
Security
Services
Superior service empowered by combining the strength of our people and information technology.
Top Related