who will guard the guards
TRANSCRIPT
Who will guard the guards?
K. K. Mookhey
Principal Consultant
Network Intelligence India Pvt. Ltd.
Speaker Introduction
� Founder & Principal Consultant
� Network Intelligence
� Institute of Information Security
� Certified as CISA, CISSP and CISM
� Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,20092005, OWASP Asia 2008,2009
� Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)
� Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)
� Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
Agenda
� Ground-level Realities
� Compliance & Regulations
� Case Study of Privileged Identity Challenges� Case Study of Privileged Identity Challenges
� Solutions
� Policy
� Process
� Technology
Ground Level Realities
How sys admins really operate!
What happened at RSA?
Spear Phishing
SQL Server to Enterprise 0wned!
� Entry Point – 172.16.1.36
� Vulnerability -> SQL Server
� Default username and password
� Username: sa
� Password: password
Privilege Escalation on the Network
� Using the Administrator account logon to other machines
� Login to the domain server was not possible
� Check for Impersonating Users
� 86% of the insiders held technical positions (CERT)
� 90% of them were granted system administrators orprivileged system access when hired (CERT)
The Insider Threat�
No. 1 security concern of large companies is…
THE INSIDER THREAT (IDC Analyst Group)
privileged system access when hired (CERT)
� 64% used remote access (CERT)
� 50% of those people were no longer supposed to have this privileged access(Source: Carnegie Mellon, DOD)
� 92% of all the insiders attacked following a negative work-related event like termination, dispute, etc. (CERT)
Notable Finding
Current Audit Questions around Privileged Accounts:
� “Can you prove that you are protecting access to key accounts?”
� “Who is acting as System Administrator for this activity?”
� “Can you prove that Rahul Mehta’s access to the netAdmin ID was properly approved?”
� “Can you show me what Rahul Mehta did within his session as root last week?”
Compliance and Regulation
� “Can you show me what Rahul Mehta did within his session as root last week?”
� “Are you changing the Exchange Admin password inline with company policy?”
� “Have you removed hard-coded passwords from your applications?”
PCI, SOX, Basel II & HIPAA are all diving deeper into Privileged Accounts
Telecom Regulations
� DOT circular (31st May 2011) states in 5.6 A (vi) c. that
� The Licensee shall keep a record of all the operation and maintenance command logs for a period of 12 months, which should include the actual command given, who gave the command, when was it given and from where. For next 24 months the same information shall be stored/retained in a months the same information shall be stored/retained in a non-online mode.
Other Regulations
� RBI Guidelines on Technology Risks
� IT Act Notifications – April 2011
Acct Type Scope Used by Used for
Elevated Personal Accts(SUPM)
•Personal Accounts elevated permissions
– JSmith_admin– SUDO
• IT staff • Privileged operations•Access to sensitive information
Shared Privileged Accounts
•Administrator•UNIX root•Cisco Enable•Oracle SYS•Local Administrators
• IT staff • System Admins• Network Admins• DBAs• Help Desk, etc
• Emergency• Fire-call•Disaster recovery• Privileged operations•Access to sensitive
Highly PowerfulDifficult to Control, Manage & Monitor
Usage is Not ‘Personalized’
What are Privileged Accounts?
Accounts(SAPM) •Local Administrators
•ERP admin
• Help Desk, etc• Developers• Legacy Apps
•Access to sensitive information
Application Accounts(AIM)
•Hard-Coded, and Embedded Application IDs•Service Accounts
•Applications• Scripts•Windows Services• Scheduled Tasks•Batch jobs, etc•Developers
•Online database access• Batch processing•App-2-App communication
Usage is Not ‘Personalized’Pose Devastating Risk if Misused
“Most organizations have more privileged accounts than personal accounts” (Sally Hudson, IDC)
� Typical use case - mid-size company IT profile:� ~10,000 employees� 8,000+ desktops/laptops� 200 Windows servers� 10 Windows domains� 500 Unix/Linux servers
The Scope of the Problem...
� 500 Unix/Linux servers� 20 WebSphere/Weblogic/Jboss/Tomcat servers� 100 Oracle/DB2/Sqlserver databases� 50 Cisco/Juniper/Nortel routers and switches� 20 firewalls� 1,000 application accounts� 150 Emergency and break-glass accounts
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
App2App Communication
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
A comprehensive platform for isolating and preemptively protecting your datacenter – whether on premise or in the cloud
Discover all privileged accounts across datacenter
Manage and secure every credential
Enforce policies for usage
Summary: Privileged Identity & Session Management
Enforce policies for usage
Record and monitor privileged activities
React and comply
Integrate with IDAM
Controls Framework
Policies
� Privileged ID Management Policy & Procedures
� Privileged ID allocation – process of the approval mechanism for it
� Privileged ID periodic review – procedure for this
� Monitoring of privileged ID activities – mechanisms, and procedures for logging and monitoring privileged IDsprocedures for logging and monitoring privileged IDs
� Revocation of a privileged ID – what happens when an Administrator leaves the organization?
� How are vendor-supplied user IDs managed
� Managing shared/generic privileged IDs
K. K. MOOKHEY
Thank you!
Questions / Queries
NETWORK INTELLIGENCE INDIA PVT. LTD.
www.niiconsulting.com