passwords and breaches: a match made in heaven
TRANSCRIPT
![Page 1: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/1.jpg)
Passwords and Breaches:
A Match Made in Heaven
Dave Shackleford
Voodoo Security
![Page 2: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/2.jpg)
Passwords…Aaargh!!
• The news these days is full of discussion and concern
over data breaches, a trend that’s been continuing for
several years
• All types of sensitive data and organizations have been
impacted
• Why does this keep
happening?!
![Page 3: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/3.jpg)
DBIR Stats: 2014
• Verizon cited almost 2 out of every 3 breaches involving
credentials at some point in the attack campaign
• Many attackers
focused almost
exclusively on
use and abuse
of privileged
credentials
![Page 4: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/4.jpg)
DBIR Stats: 2015
• In the 2015 DBIR, Verizon noted that every single breached Point-of-Sale (POS) vendor had their credentials breached, allowing attackers to harvest credit card numbers galore.
• In addition, attackers relied less on default credentials being in place, and placed more emphasis on stolen credentials from users.
![Page 5: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/5.jpg)
DBIR Stats: 2016
• Hacking with stolen credentials is WAY up:
![Page 6: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/6.jpg)
DBIR Stats: 2016
• 63% of confirmed breaches involve weak, default, or
stolen credentials
![Page 7: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/7.jpg)
Breach Example 1: Target
• Target experienced a significant breach of roughly 110
million customers’ data, with at least 40 million payment
cards stolen.
• During the course of the investigation, it was found that
Target was initially breached through a connection
established by one of their vendors, HVAC vendor Fazio
Mechanical Services
![Page 8: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/8.jpg)
Breach Example 2: Home Depot
• Home Depot, another large retailer, also claims that its
credit card breach in 2014 was initially due to stolen
credentials from a third-party vendor.
• In many of the most public cases we have seen, the
attackers have targeted personal data, health care
information and financial data, such as debit and credit
card details.
![Page 9: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/9.jpg)
Breach Example 3: OPM
• Originally cited as 4 million records breached, that number is
now upwards of 25 million+
• Highly sensitive data related to background checks,
government clearance, and personal information was
compromised
• This breach, like many others, seems to have originated with
stolen credentials from a background check provider that
worked with OPM, KeyPoint
Government Solutions
![Page 10: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/10.jpg)
Credential Misuse is a PATTERN.
• Based on these repeated series of attacks, we’ve got
years of evidence that credential theft and misuse leads
to major breaches and exposure
• We still have issues with:
– One-factor authentication (passwords)
– Password management
– Privileged users and credentials
![Page 11: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/11.jpg)
Stupid Pen Test Tricks:
Credential Dumps
• So many in recent
years – Yahoo,
LinkedIn, Ashley
Madison, etc.
• These should be added
to password lists
You go…”ninja”.
![Page 12: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/12.jpg)
Stupid Pen Test Tricks:
Hash Dumps
• Once a system has been exploited, any pen tester will
immediately dump creds
![Page 13: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/13.jpg)
Stupid Pen Test Tricks:
Plaintext Creds…aka DERP
• This doesn’t work as often as it used to, but dumping
plaintext credentials is a great way to win as a pen tester
![Page 14: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/14.jpg)
Stupid Pen Test Tricks:
Social Engineering
• Social engineering, especially phishing can grant you
access to credentials and/or systems (thus, credentials)
![Page 15: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/15.jpg)
Stupid Pen Test Tricks:
Pass-the-Hash
• In many cases, Windows “Pass the Hash” techniques still
work beautifully
– At least for the local Admin account
• Metasploit, the Windows Credential Editor, and other tools
can employ this technique
![Page 16: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/16.jpg)
Stupid Pen Test Tricks:
Password Guessing
• While certainly not subtle, password guessing attacks can
definitely still prove effective
• Tools like Hydra, Medusa,
and others can easily
target SMB, SSH, HTTP,
and many other forms of
authentication
![Page 17: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/17.jpg)
Credential Security: Prevention
• User education on protecting credentials and avoiding
social engineering attacks is key
• Create and implement a password security policy
• Implement multi-factor authentication tools
• Password escrow or randomization requires a “checkout”
for short-term use, and can be helpful for admin and
privileged access and control
![Page 18: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/18.jpg)
Credential Security: Detection
• Detecting credential hijack and abuse may be difficult
• Things to look for:
– Repeated failed logins
– Authentication attempts/activity at abnormal times
– Unusual patterns of access
– Account or system patterns of connectedness
![Page 19: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/19.jpg)
Credential Security: Response
• If credentials have been hijacked or abused:
– Change passwords immediately
– Notify partners or any connected 3rd parties
– Look for account activity in logs
– Perform forensics and more in-depth analysis of systems with
that user activity
![Page 20: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/20.jpg)
Conclusion
• Passwords are a nightmare.
• Of course, we can’t get rid of them easily, but they continue to plague us
• We’re likely to see passwords involved in breach scenarios for some time to come
• The time is NOW to implement better password protection controls!
![Page 21: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/21.jpg)
PowerBroker Password Safe
v5.8
Rod Simmons – Product Manager
![Page 22: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/22.jpg)
PAM – A collection of best practices
AD Bridge Privilege
Delegation
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys
![Page 23: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/23.jpg)
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
![Page 24: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/24.jpg)
Differentiator:
Adaptive Workflow Control
![Page 25: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/25.jpg)
Adaptive Workflow Control
• Day
• Date
• Time
• Who
• What
• Where
![Page 26: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/26.jpg)
Differentiator:
Included Session Management
![Page 27: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/27.jpg)
Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection
through to requested resource
Protected Resources User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance HTTPS RDP / SSH
RDP / SSH
Password
Safe Proxy Proxy
Privileged Session Management
![Page 28: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/28.jpg)
Differentiator:
Controlling Application Access
![Page 29: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/29.jpg)
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
![Page 30: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/30.jpg)
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
![Page 31: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/31.jpg)
Differentiator:
Reporting & Analytics
![Page 32: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/32.jpg)
Actionable Reporting
![Page 33: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/33.jpg)
Advanced Threat Analytics
![Page 34: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/34.jpg)
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
![Page 35: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/35.jpg)
Less complexity & cost
Password and Session Management together in the same
solution
Rotate SSH keys according to a defined schedule and enforce granular access control and
workflow
Native tools for session management (MSTSC/PuTTY etc),
with no Java required
Faster time to value
Deploy as a hardened physical or virtual appliance with a sealed
operating system, or as software
Clean, uncluttered, and intuitive HTML5 interface for end users
Full network scanning, discovery and profiling with auto-onboarding,
and Smart Rules
Better insights
Integrated data warehouse and threat analytics capability through
BeyondInsight
Live session monitoring, true dual control for locking, terminating or
canceling sessions
Improve workflow by considering the day, date, time and location
when a user accesses resources
Key differentiators and business value
Reduce risk | Achieve compliance | Improve efficiency
![Page 36: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/36.jpg)
PowerBroker Privileged Account Management:
Validated by the industry
BeyondTrust is a “representative vendor” for all five key feature solution categories.1
“Deploying the BeyondTrust PAM platform … provides an integrated, one-stop approach to PAM… one
of only a small band of PAM providers offering end-to-end coverage.”2
“BeyondTrust is a pure-player in the Global Privileged Identity Management market and holds a
significant position in the market.”3
"Frost & Sullivan endorses PowerBroker Password Safe.“4
"Leverage a solution like BeyondTrust’s PowerBroker for Windows to transparently remove
administrator privileges.“5
BeyondTrust is a “Major Player” in Privileged Access Management.6
“BeyondTrust is a vendor you can rely on… BeyondTrust PowerBroker Auditor suite is an
impressive set of flexible and tightly integrated auditing tools for Windows environments.”7
1Gartner, Market Guide for Privileged Account Management, June 17, 2014. 2Ovum, SWOT Assessment: BeyondTrust–The BeyondInsight and PowerBroker Platform, November 5, 2014. 3TechNavio, Global Privileged Identity Management Market 2015-2019, 2014. 4Frost & Sullivan, PowerBroker Password Safe – a Frost & Sullivan Product Review, 2014. 5Forrester, Introducing Forrester’s Targeted Hierarchy of Needs, May 15, 2014. 6IDC, IDC MarketScape: Worldwide Privileged Access Management 2014 Vendor Assessment, March 2015. 7Kuppinger Cole, Executive View: BeyondTrust PowerBroker Auditor Suite, March 2015.
![Page 37: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/37.jpg)
Demonstration
![Page 38: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/38.jpg)
Poll
![Page 39: Passwords and Breaches: A Match Made in Heaven](https://reader033.vdocument.in/reader033/viewer/2022051709/587268eb1a28ab31498b5427/html5/thumbnails/39.jpg)
Q&A
Thank you for attending.