advanced persistent threats
Post on 25-May-2015
981 Views
Preview:
TRANSCRIPT
Advanced Persistent Threats
K. K. Mookhey
Principal Consultant
Network Intelligence India Pvt. Ltd.
Speaker Introduction
Founder & Principal Consultant
Network Intelligence
Institute of Information Security
Certified as CISA, CISSP and CISM
Speaker at Blackhat 2004, Interop 2005, IT Underground
2005, OWASP Asia 2008,2009
Co-author of book on Metasploit Framework (Syngress),
Linux Security & Controls (ISACA)
Author of numerous articles on SecurityFocus, IT Audit, IS
Controls (ISACA)
Over a decade of experience in pen-tests, application security
assessments, forensics, compliance, etc.
Agenda
Ground-level Realities
Compliance & Regulations
Case Study of Privileged Identity Challenges
Solutions
Policy
Process
Technology
Background
Further background…
―Fraud worries Indian outsourcing firms... Industry executives
and officials at Nasscom, … say they are worried that exposés
of recent incidents of fraud are damaging India's reputation as
a high-skilled, low-cost location…‖
―Infosys wrestles with India IT worker turnover…the Indian outsourcing firm is wrestling with a 25 percent spike in employee attrition—the
highest mark since 2004, analysts say.‖
―In India, the average annual attrition rate in the business process outsourcing
(BPO) sector hit a high of close to 50% a few years ago.‖
―Laterals attrition worrying IT biggies... some companies are now battling
attrition as high as 40% among their project managers, threatening to
disrupt ongoing engagements. ―
Acct Type Scope Used by Used for
Elevated
Personal Accts(SUPM)
•Personal Accounts
elevated permissions– JSmith_admin
– SUDO
• IT staff •Privileged operations
•Access to sensitive
information
Shared
Privileged
Accounts(SAPM)
•Administrator
•UNIX root
•Cisco Enable
•Oracle SYS
•Local Administrators
•ERP admin
• IT staff
• System Admins
• Network Admins
• DBAs
• Help Desk, etc
• Developers
• Legacy Apps
•Emergency
•Fire-call
•Disaster recovery
•Privileged operations
•Access to sensitive
information
Application
Accounts(AIM)
•Hard-Coded, and
Embedded Application
IDs
•Service Accounts
•Applications
•Scripts
•Windows Services
•Scheduled Tasks
•Batch jobs, etc
•Developers
•Online database access
•Batch processing
•App-2-App communication
Highly Powerful
Difficult to Control, Manage & Monitor
Usage is Not ‘Personalized’
Pose Devastating Risk if Misused
What are Privileged Accounts?
86% of the insiders held technical positions (CERT)
90% of them were granted system administrators orprivileged system access when hired (CERT)
64% used remote access (CERT)
50% of those people were no longer supposed to have this privileged access(Source: Carnegie Mellon, DOD)
92% of all the insiders attacked following a negative work-related event like termination, dispute, etc. (CERT)
The Insider Threat…
No. 1 security concern of large companies is…
THE INSIDER THREAT (IDC Analyst Group)
Crucial question…
Quis custodiet ipsos custodies
=
Who will guard the guards?
How sys admins really operate!
And how passwords get compromised!
Ground Level Realities
SQL Server to Enterprise 0wned!
Entry Point – 172.16.1.36
Vulnerability -> SQL Server
Default username and password
Username: sa
Password: password
Use xp_cmdshell to
‗net user kkm kkm /add‘
‗net localgroup administrators kkm /add‘
Hash Dump
Administrator:500:A8367713FF9D45CE45F37A6:::
Guest:501:NO PASSWORD*********************:NO
PASSWORD*********************:::
GP2010STGLocal:1012:3ED3C0B9BB7B5091BC4186920:
AC4FFE38A7582D2A46E36865B:::
Privilege Escalation on the Network
Using the Administrator account logon to other machines
Login to the domain server was not possible
Check for Impersonating Users
―Most organizations have more privileged accounts than personal accounts‖ (Sally Hudson, IDC)
Typical use case - mid-size company IT profile: ~10,000 employees
8,000+ desktops/laptops
200 Windows servers
10 Windows domains
500 Unix/Linux servers
20 WebSphere/Weblogic/Jboss/Tomcat servers
100 Oracle/DB2/Sqlserver databases
50 Cisco/Juniper/Nortel routers and switches
20 firewalls
1,000 application accounts
150 Emergency and break-glass accounts
The Scope of the Problem...
What happened at RSA?
Spear Phishing
Compliance & Regulations
Current Audit Questions around Privileged Accounts:
―Can you prove that you are protecting access to key accounts?‖
―Who is acting as System Administrator for this activity?‖
―Can you prove that Rahul Mehta‘s access to the netAdmin ID was properly approved?‖
―Can you show me what Rahul Mehta did within his session as root last week?‖
―Are you changing the Exchange Admin password inline with company policy?‖
―Have you removed hard-coded passwords from your applications?‖
PCI, SOX, Basel II & HIPAA are all
diving deeper into Privileged Accounts
Compliance and Regulation
Telecom Regulations
DOT circular (31st May 2011) states in 5.6 A (vi) c.
that
The Licensee shall keep a record of all the operation and
maintenance command logs for a period of 12 months,
which should include the actual command given, who gave
the command, when was it given and from where. For
next 24 months the same information shall be
stored/retained in a non-online mode.
Corporate Liability
‗43A. Where a body corporate, possessing, dealing or
handling any sensitive personal data or information in a
computer resource which it owns, controls or operates, is
negligent in implementing and maintaining
reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any
person, such body corporate shall be liable to pay
damages, not exceeding five crore rupees, by way
of compensation to the person so affected.
RBI Guidelines on Technology Risks
April 29, 2011, the Reserve Bank of India released the
―Guidelines on Information security, Electronic Banking,
Technology risk management and cyber frauds‖.
Close supervision of personnel with elevated
system privileges
Personnel with elevated system access privileges should
be closely supervised
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
App2App Communication
Solutions!
Or why SIEM’s are not the answer
Decipher this!
OS_USERNAME
--------------------------------------------------------------------------------
USERNAME
------------------------------
USERHOST
--------------------------------------------------------------------------------
TIMESTAMP RETURNCODE
------------------- ----------------
MRMESSIN\Mike Messina
DUMMYWORKGROUP\MRMESSIN
11/08/2007 09:07:54 1017
Control superuser access for in-depth unix security
Manage the commands Unix admins can run with granular access control
Enforce ‗least privilege‘ - elevate to ‗root‘ only when necessary
Monitor individual superuser activity with text recording
Unified audit of superuser activity and password access
On-Demand Privileges Manager: Tightening Unix Security
When Who What Where
Company : Telco with over 100M subscribers
Regulation : Multiple
Driver : Compliance, control & monitor access to production environment, reduce operational costs
Scope : Integrated Privileged ID and Session Management implementation on 15,000 machines, tens of thousands of accounts.
Benefits :
Privileged ‘Session’ ExamplePrivileged ‗Session‘ Example
Minimized security risks
• Detailed audit logging & recording – 26,000 PSM recorded
sessions within first 60 days
Met compliance goals
Reduced TCO
• Avoid performance impact of end-point logging agents – savings
of around 4% of total CPU power!
Operational efficiency
• Integrated solution with central management & unified
reporting & policies
• Improved IT work efficiency with privileged single-sign-on
A comprehensive platform for isolating and preemptively
protecting your datacenter – whether on premise or in the
cloud
Discover all privileged accounts across datacenter
Manage and secure every credential
Enforce policies for usage
Record and monitor privileged activities
React and comply
Integrate with IDAM
Summary: Privileged Identity & Session Management
Before we get to the technology…
Controls Framework
Policies
Privileged ID Management Policy & Procedures
Privileged ID allocation – process of the approval mechanism
for it
Privileged ID periodic review – procedure for this
Monitoring of privileged ID activities – mechanisms, and
procedures for logging and monitoring privileged IDs
Revocation of a privileged ID – what happens when an
Administrator leaves the organization?
How are vendor-supplied user IDs managed
Managing shared/generic privileged IDs
Take Aways
Privileged IDs represent the highest risk for data leakage
in the organization
Such IDs are numerous due to the large number of
systems and devices in any network
Managing the access of these IDs and monitoring their
activities is of crucial importance!
Technology solutions such as Privileged Identity
Management make this task easier
But these need to be combined with the right policy
framework and comprehensive procedures
top related