reduciendo riesgos a través de controles de acceso, manejo de privilegios y auditoria
TRANSCRIPT
1
1
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y auditoria
© 2013 BeyondTrust Software
Bruno Caseiro, CISSP, GWAPT, CEH, MCSESecurity Sales Engineer
2
2
Agenda
About Beyondtrust
Security concepts that are rarely implemented (properly)
High Profile Breaches in 2013 and 2014
What we can do to reduce the attack surface?
3
3
BeyondInsight IT Risk Management Platform: Capabilities
Privilege & Access ManagementInternal Risk Management
• Privileged Password Management• Shared Account Password Management• Privileged Session Management• Privileged Threat Analytics• User Activity and Entitlement Auditing• AD Bridge for UNIX/Linux and Mac• Automated AD Recovery & Protection
Privilege & Access ManagementInternal Risk Management
• Privileged Password Management• Shared Account Password Management• Privileged Session Management• Privileged Threat Analytics• User Activity and Entitlement Auditing• AD Bridge for UNIX/Linux and Mac• Automated AD Recovery & Protection
Vulnerability Management External Risk Management
• Vulnerability Management• Regulatory Compliance Reporting• Configuration Compliance Assessment• Integrated Patch Management• Endpoint Protection Agents
Vulnerability Management External Risk Management
• Vulnerability Management• Regulatory Compliance Reporting• Configuration Compliance Assessment• Integrated Patch Management• Endpoint Protection Agents
Reporting& Analytics
Central DataWarehouse
AssetDiscovery
AssetProfiling
Asset SmartGroups
UserManagement
Workflow &Notification
Third-PartyIntegration
IT Security:Optimize Controls
IT Risk:Calculate Risk
Management:Prioritize Investments
Compliance & Audit:Produce Reports
IT Operations:Prioritize Mitigation
5
5
Security concepts that are rarely implemented
Least PrivilegeLeast privilege requires that a user be given no more access privilege than necessary to perform a job, task, or function.
Need to knowShould be used heavily in situations where operational secrecy is a key concern in order to reduce the risk that someone will leak that information to the enemy. It's a companion concept to least privilege and it defines that minimum as a need for that access based on job or business requirements.
7
7
EDWARD SNOWDEN AND THE NATIONAL SECURITY AGENCY
Edward Snowden, a contractor working as a systems administrator for the NSA, convinced several of his co-workers to provide him with their system credentials, according to a report by Reuters. Snowden may have convinced up to 25 employees at the NSA to give him their usernames and passwords under the pretext that he needed them to do his job.
High Profile Breaches in 2013 - NSA
8
8
In a statement to CSO, a Vodafone spokes person said that a "sophisticated and illegal intrusion into one of its servers in Germany," and that the attack appears to have been executed by someone inside the company. An individual has been identified by the police, and their assets have been seized, but there was no further information available by deadline. Speculation by local media in Germany has pointed to a sub-contractor who worked with the telecom giant's administration system as the key suspect.
High Profile Breaches in 2013 - Vodafone
12
12
How someone can get access to your systems?
They have a valid credential (username and password);Also this valid credential must have the appropriate privileges;
They can exploit an existing vulnerability in your system and in this case they don’t need credentials;
13
13
What we can do to reduce the attack surface?
Enforce Least Privilege across your organization;
Control who can access each privileged account and system in your environment;
Audit what users are doing when they are granted privileged access.
Audit who is accessing your data, look for anomalies, create alerts, and fix excessive permissions;
Changes to critical objects in AD (i.e. Domain Admins group); Sensitive files and folders in your systems; Executive or strategic mailboxes in your MS-Exchange; Sensitive records, tables or databases in MS-SQL, Oracle, and DB2.
Identify if you can get compromised by external attacks
Audit your vulnerabilities, prioritize, and fix them.
19
19
Session Monitoring – Audit what users are doing after launching applications with admin rights?
20
20
How to control access to privileged accounts?
Solution: PowerBroker Password Safe
© 2013 BeyondTrust Software
22
22
PowerBroker Password Safe
Manager(Web Interface)
Approval Request
Approval Administrati
on,
Auditing, etc.
Password Request
Password(Retrieved via SSH, HTTPS)
Password Request
Password(Retrieved via API, PBPSRUN)
Login w/ Password
Login w/Password
PowerBroker SafeAdministrator
or Auditor(Web or CLI Interface)
User(Web Interface)
Applicationor Script
Routers /Switches
Firewalls WindowsServers
Unix/LinuxServers
SSH/TelnetDevices
IBM iSeriesServers
IBM ZSeriesServers
AD/LDAPDirectories
Databases
22
11
33
44
BB
CC
27
27
Audit your environment
Microsoft File Servers, Active Directory, Exchange, Event Viewer;Databases: Oracle, MSSQL, and DB2
© 2013 BeyondTrust Software
28
28
Monitor any change that occurs in A.D.User, Group, OU, Printer (deleted, changed, created, etc)
Who? When? Where? What?
29
29
Protect critical objects in A.D.Specify that in the “domain admins” group, only the user “cassio” can
make changes. Even other domain admins will not be able to change that.
30
30
Audit for File ServersWho accessed the file salary.xls in the last 30/60/90 days?
Who is really accessing/changing your critical data?Email me if someone delete or change the file secrets.doc
31
31
Audit of EventsWhat are the errors or security events that are happening in my servers?
You are seeing user accounts being lock out. Where it’s happening?Would you like to get alerts when some type of events are generated?
32
32
Audit for Microsoft ExchangeAn email message has “disappeared”. When it happened, who deleted?
Who is reading your CEO e-mail messages? Only him? Really?Would you like to receive an alert when if it occurs?
33
33
Audit for MSSQL, Oracle, and DB2What changes occurred in the last 24 hours?
Is there someone looking at sensitive tables like salary, credit cards, etc?Would you like to receive an alert if a suspicious activity occurs?
34
34
Audit your vulnerabilities, prioritize, and patch them!Solution: Retina CS – Vulnerability Mgmt
© 2013 BeyondTrust Software
37
37
Patch Management
- Patches for Microsoft (Windows, MSSQL, Office, etc);- Java;- Adobe;- Winrar;- Firefox, Chrome, etc
39
39
Challenge - You will be surprised!
How many administrators you have in your environment
How many service accounts you have in your environment
Who is accessing your top 5 sensitive folders?
If you create and add a “hacker” account to the Domain Admins group, when people will realize that?
Last time that the password for these devices where changed: Domain administrator on Windows; Administrator account in your MS-Windows workstations; Root in your Linux and Unix systems; Admin password for your networking devices (switches, firewall, etc); SA password for your MS-SQL or Sysadmin for your Oracle
How many vulnerabilities can be exploited remotely? I mean, easily exploited remotely by tools already available on Internet