Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stopping Attacks Before They Stop Business

Published byJane Maxwell Modified over 7 years ago

Similar presentations

Presentation on theme: "Stopping Attacks Before They Stop Business"— Presentation transcript:

1 Stopping Attacks Before They Stop Business
Jeff Vealey – Customer Success Technical Advisor CyberArk Software

2 State of play There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging in to one category; those that have been hacked and will be again. FBI Director Robert Mueller 2012

3 Recent history

4 Cyber Attacks Are a Daily Event

5 Cyber Security and Privileged Access
“APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.” “…100% of data breaches involved stolen credentials.” Mandiant, M-Trends and APT1 Report

6 Privileged Account Definition and Scope
Any account which has the ability to access and update the configuration of a critical system or impact it’s operational service Routers, Firewalls, Hypervisors, Databases, Applications Routers, Firewalls, Servers, Databases, Applications Laptops, Tablets, Smartphones Power Plants, Factory Floors Privileged Account Definition WiFi Routers, Smart TVs

7 Privileged Account Security: the new security layer
PERIMETER SECURITY SECURITY CONTROLS INSIDE THE NETWORK MONITORING PRIVILEGED ACCOUNT SECURITY

8 Typical processes that attackers expose…
Local admin accounts set to the same password Unmanaged SSH Keys used for interactive sessions and applications Separate, named domain accounts created for each admin Workstation users granted local admin rights Non-expiring passwords for critical accounts Standing Access – network, access and authentication Hard-coded credentials for applications in code, scripts and appliances Excessive Permissions for specific roles, like; DBA, Developers, etc. Lack of visibility around who, why and is it legitimate access

9 Data Breaches - Real Life Example

10 How did the attack start?
ABC Company How did the attack start? Step 2: Executive user with local admin Privilege discovered. Pass the hash attack starts Step 3: Hash of helpdesk user who remotely assisted executive 3 days prior extracted and used. Step 1: Attackers used Phishing Scam to detect local admin users.

11 Step 6: Golden Ticket Attack Performed
What happened? Step 5: Authenticated to multiple servers using those privileges until they gained domain-admin level access Step 6: Golden Ticket Attack Performed Step 4: Using the helpdesk users password hash, Server Access was finally gained Domain Admin accounts Local Admin accounts Used system access to: Write own Kerberos Tickets Exfiltrate Data

12 Comprehensive Approach Required

13 Stats

14 Privileged Account Statistics
Of Advanced attacks exploit Privileged Credentials. 100%

15 Privileged Account Statistics
Shared by who? What happens when people leave the organization? Of Privileged Account Passwords are shared. 51%

16 Privileged Account Statistics
Current processes are making it easier for attackers to move around the infrastructure. Of Large Enterprises take 90 days or longer to change Privileged Passwords. 53%

17 Privileged Account Statistics
There is more than 1 way to underestimate this. Amount, Scope, Power, Same/Similar Passwords Of Large Enterprises do not know, or have underestimated the magnitude of their Privileged Account Security problem. 86%

18 Privileged Account Statistics
Remember the breach for a US health insurer? 70 million credit card details were stolen because of 1 unmanaged credential. Of Privileged Accounts across Enterprises are either unknown or un-managed 67%

19 Privileged Account Statistics
Truth? Are these numbers correct? ??%

20 Privileged Account Statistics
Of Advanced attacks exploit Privileged Credentials. 100%

21 Compliance View

22 Compliance and Regulation
PCI SOX

23 Reduce Risk of Privileged Account Exploits

24 Implement a standardized privileged access strategy
For each layer: Why is Privileged Access needed? Who needs Privileged Access? Which entities are used to authenticate? Can approval workflows be enforced? What controls are in place right now? APPLICATION DATABASE OPERATING SYSTEM NETWORK INFRASTRUCTURE

25 Example Controls… Ref Process Description Priority C1
Inventory and reduce the number of privileged accounts in your organization Knowing how many accounts are present in the environment and where they are is a critical first step in making informed risk decisions and protecting the accounts. Once inventoried, privileged accounts should be reviewed and unnecessary accounts should be deleted to reduce the overall number of accounts requiring management. C2 Prohibit standard user accounts from having privileged access. Utilising separate accounts for general and administrative use enables organizations to identify misuse or abuse of privileged accounts. In addition, enforcing least privilege is a significant step an organization can take towards improving the security of their network environment. C3 Create a process for on- and off-boarding employees that have privileged account access. Employees should understand the responsibility that comes with privileged access and be trained in existing corporate policies before administrative access is granted. Access should routinely be reviewed to ensure privileged access is still required. The off-boarding process should include disabling all employee privileged accounts and changing passwords to any shared accounts the employee had access too. C4 Eliminate the practice of accounts that have non- expiring passwords. Passwords should be changed on a regular schedule to reduce their vulnerability to password cracking tools and password sharing between employees. C5 Store passwords / keys securely It is imperative that organizations store their privileged credentials in the most secure, encrypted vaulting system available. The use of envelopes, binders, spreadsheets, flat files, etc. for the storage of privileged account information should be eliminated.

26 Restrict Lateral Movement – Define the Target Operating Model
Tier 0 – Forest admins: Direct or indirect administrative control of the Active Directory forest, domains, or domain controllers Tier 1 – Server admins: Direct or indirect administrative control over a single or multiple servers Tier 2 – Workstation Admins: Direct or indirect administrative control over a single or multiple devices Source – Microsoft Mitigating Pass The Hash and Other Credential Theft V2

27 Privileged Account Security

28 Privileged Account Security - Critical Steps
Discover all of your privileged accounts Protect and manage privileged account credentials Control, isolate and monitor privileged access to servers and databases Implement least privileges access for server and workstation access Use real-time privileged account intelligence to detect and respond to in-progress attacks

29 First, understand the Current Position

30

31 Protect and Manage Privileged Account Credentials
Protect the Privileged Credentials – Secure Digital Vault Implement strong credential access workflows Simplify policy management - “master policy” function

32 Isolate malware from the target system
Control, Isolate and Monitor Privileged Activity Establish a single point of control for privileged sessions Isolate malware from the target system Monitor and record command level activity

33 Use Real-time, Privileged Account Intelligence
Privileged account intelligence detects attacks Privileged Credential Access Vault access intelligence Privileged Session Activity Privileged session intelligence Full integration with existing SIEM solution Detect Malicious Activity Real-time, integrated with SIEM Full forensics capabilities Complete, indexed record of privileged activity Detect anomalies in day-to-day activity

34 The Standardized Approach for Privileged Access
Real-Time Threat Detection Detect Attempts to Circumvent Controls Privileged Account Management Enforce account management on all privileged accounts Global IT Environment Privileged Access IT Admins Applications 3rd Parties Secure App2App Authentication Directive Implements the new concept Target Operation Model for Risk Mitigation. Standardize Privileged Access for all accounts; human and non-human IDs Benefits: Mitigates risk by reducing the attack surface within the heart of the enterprise Implements a standardized workflow for privileged access; central control and audit Provides full accountability, forensics and threat detection.

35 So….in summary…

36 Stop looking for the next big thing….it is already here.

37 Privileged Credentials are the biggest problem in Security

38 The time is now to act or you are increasing your odds of being the next attack

39 Otherwise…..

40 They will find your passwords…

41 They will gain access….

42 They will penetrate deep in your network….

43 And you are you left to call???

44 These guys? Probably not.

45 Thank you

Download ppt "Stopping Attacks Before They Stop Business"

Similar presentations

Security for Mobile Devices

Security for Mobile Devices
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
BalaBit Shell Control Box

BalaBit Shell Control Box
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Privileged Identity Management Enterprise Password Vault

Privileged Identity Management Enterprise Password Vault
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Www.tectia.com COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
1 The New Cyber Battleground: Inside Your Network Chad Froomkin Major Account Executive Southeast.

1 The New Cyber Battleground: Inside Your Network Chad Froomkin Major Account Executive Southeast.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Similar presentations

Ads by Google