Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Chad Froomkin
Major Account Executive
Southeast
1
Why are we here?
90%
of organizations breached
59%
of organizations breached more than once
$3,500,000
Average cost per incident to investigate and remediate
Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK -
CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security,
2014
2
The new cyber battleground: Inside your network
3
What do we know?
“APT intruders…prefer to
leverage privileged accounts
“…100% of breaches where possible, such as Domain
involved stolen Administrators, service accounts
credentials.” with Domain privileges, local
Administrator accounts, and
privileged user accounts.”
5
Privileged accounts are targeted in all
advanced attacks
6
Privileged accounts are targeted in all
advanced attacks
CyberSheath
APT Privileged Account Exploitation
Securing Organizations against
Advanced, Targeted Attacks,
2013
7
Perimeter defenses are consistently breached
9
Privilege is at the center of the attack lifecycle
Typical Lifecycle of a Cyber Attack
10
Scope of Privileged Account “attack surface”
underestimated
In Your Estimation, How Many Privileged Accounts
Are There In Your Organization?
35%
30%
25%
20%
15%
10%
5%
0%
1-250 251-500 501-1,000 1,001-5,000 5,001+ Don't know
Cyber - Privileged Account Security & Compliance Survey, 2014 (Enterprises > 5000 Employees)
11
Many organizations only use partial measures
28%
72%
How Do You Monitor Or Record
Privileged Account Activity?
Do you monitor and record
privileged activity?
25%
20%
15%
10%
5%
12
Privileged Accounts create a HUGE attack surface
13
What, Where & Why of Privileged Accounts
All Powerful
• Administrator
• IT staff
• Sys admins/Net admins
• Emergency
Shared
Difficult•• UNIX
to root
Control,
Cisco Enable
•Manage
DBAs & • Fire-call
Monitor
• Disaster recovery
• Help desk
Privileged Accounts • Oracle SYS • Privileged operations
• Developers
• Local Administrators • Access to sensitive
• Social media mgrs
Pose • Devastating
ERP admin Risk
• Legacy if Misused
applications
information
• Applications/scripts
• Online database access
• Hard coded/ embedded • Windows Services
Application Accounts • Batch processing
App IDs • Scheduled Tasks
(App2App) • App-2-App
• Service Accounts • Batch jobs, etc
communication
• Developers
14
Telecom breaches draw attention to insider access
issues
▪ August 2014 : A global top 5 Telecommunications company reported that, for the 2nd time in
2014, a privileged insider gained unauthorized access to customer information.
“ We’ve recently determined that one of our employees violated our strict privacy and security
guidelines by accessing your account without authorization and while doing so, would have
been able to view and may have obtained your account information, including your social
security number and driver's license number ”
▪ Yet another reminder that true technical controls need to be put in place to better manage
the privileges and access that employees have to data and systems.
15
Chinese hack U.S. weather systems & satellite
network
▪ October 2014: A federal agency recently had four of its websites attacked by
hackers from China. To block the attackers, government officials were forced to
shut down a handful of its services.
▪ Post breach, security testing discovered multiple weaknesses:
■ “Weak or default passwords and operating system vulnerabilities with well
documented exploits”
■ Significant problems with remote access
■ Assessment results lacked supporting evidence – lack of audit logs
16
The framework of a retail breach
• Escalation of privileges
• Install Remote
Administration Tools -
Ex-filtrate data
• Access Via
compromised 3rd
party account
Goal
17
The Privileged Account Security maturity model
Baseline
maturity
Medium
High
maturity maturity
18
1) Baseline Maturity
Baseline
maturity
19
2) Medium Maturity
Schedule password
changes
Utilize one-time
passwords
Implement session
Manage and recording
monitor Prevent human usage of
service accounts
Control application
accounts
Detect anomalies
Medium
maturity
20
3) High Maturity
Use multi-factor
authentication
Replace all hard-coded
Expand scope and passwords in applications
automate Employ next-generation
jump-servers
Implement approval and
monitoring workflows
Proactively detect
malicious behavior
High
maturity
21
Critical steps to stopping advanced threats
22
Enterprise account usage today
DBAs External Business Auditor/
Windows Admins Unix Admins VM Admins
Vendors Applications Security & Risk
I need the I need my service I just need root to I have this script What are your root
password to map a provider to connect patch a database that needs to run entitlements, who
drive remotely with root as root every night used it, when did
they use it and
why?
23
Requirements for an effective Privileged Account
Security Solution
Privileged
Activity Monitoring
24
Break the attack chain!!!
25
DNA - Discovery & Audit
26
The CyberArk Team:
27