2. Speaker Introduction
Founder & Principal Consultant
Network Intelligence
Institute of Information Security
Certified as CISA, CISSP and CISM
Speaker at Blackhat 2004, Interop 2005, IT Underground
2005, OWASP Asia 2008,2009
Co-author of book on Metasploit Framework (Syngress),
Linux Security & Controls (ISACA)
Author of numerous articles on SecurityFocus, IT Audit, IS
Controls (ISACA)
Over a decade of experience in pen-tests, application security
assessments, forensics, compliance, etc.
3. Agenda
Ground-level Realities
Compliance & Regulations
Case Study of Privileged Identity Challenges
Solutions
Policy
Process
Technology
5. Further background…
―Fraud worries Indian outsourcing firms... Industry executives
and officials at Nasscom, … say they are worried that exposés
of recent incidents of fraud are damaging India's reputation as
a high-skilled, low-cost location…‖
―Laterals attrition worrying IT biggies... some companies are now battling
attrition as high as 40% among their project managers, threatening to
disrupt ongoing engagements. ―
―Infosys wrestles with India IT worker turnover…the Indian outsourcing
firm is wrestling with a 25 percent spike in employee attrition—the
highest mark since 2004, analysts say.‖
―In India, the average annual attrition rate in the business process outsourcing
(BPO) sector hit a high of close to 50% a few years ago.‖
6. What are Privileged Accounts?
Acct Type Scope Used by Used for
Elevated • Personal Accounts • Privileged operations
elevated permissions • IT staff
Personal Accts • Access to sensitive
– JSmith_admin
(SUPM) – SUDO
information
Shared
Highly Powerful •• Emergency
• IT staff
• Administrator
• System Admins
• UNIX root Fire-call
• Network Admins
Difficult to Control,DBAs
Privileged
Accounts
• Manage & Monitor
• Cisco Enable
• Oracle SYS
• Disaster recovery
• Privileged operations
• Help Desk, etc
(SAPM)
Usage is Not ••‘Personalized’sensitive
• Local Administrators
Developers
• ERP admin
Legacy Apps
• Access to
information
Pose Devastating Risk if Misused
• Applications
• Hard-Coded, and • Scripts
Application • Online database access
Embedded Application • Windows Services
Accounts • Batch processing
IDs • Scheduled Tasks
(AIM) • App-2-App communication
• Service Accounts • Batch jobs, etc
• Developers
7. The Insider Threat…
No. 1 security concern of large companies is…
THE INSIDER THREAT (IDC Analyst Group)
86% of the insiders held technical positions (CERT)
90% of them were granted system administrators or
privileged system access when hired (CERT)
64% used remote access (CERT)
50% of those people were no longer supposed
to have this privileged access
(Source: Carnegie Mellon, DOD)
92% of all the insiders attacked following a negative
work-related event like termination, dispute, etc. (CERT)
8. Crucial question…
Quis custodiet ipsos custodies
=
Who will guard the guards?
9. How sys admins really operate!
And how passwords get compromised!
Ground Level Realities
10. SQL Server to Enterprise 0wned!
Entry Point – 172.16.1.36
Vulnerability -> SQL Server
Default username and password
Username: sa
Password: password
Use xp_cmdshell to
‗net user kkm kkm /add‘
‗net localgroup administrators kkm /add‘
12. Privilege Escalation on the Network
Using the Administrator account logon to other machines
Login to the domain server was not possible
Check for Impersonating Users
13. The Scope of the Problem...
―Most organizations have more privileged accounts than personal accounts‖
(Sally Hudson, IDC)
Typical use case - mid-size company IT profile:
~10,000 employees
8,000+ desktops/laptops
200 Windows servers
10 Windows domains
500 Unix/Linux servers
20 WebSphere/Weblogic/Jboss/Tomcat servers
100 Oracle/DB2/Sqlserver databases
50 Cisco/Juniper/Nortel routers and switches
20 firewalls
1,000 application accounts
150 Emergency and break-glass accounts
17. Compliance and Regulation
Current Audit Questions around Privileged Accounts:
―Can you prove that you are protecting access to key accounts?‖
―Who is acting as System Administrator for this activity?‖
―Can you prove that Rahul Mehta‘s access to the netAdmin ID was properly
approved?‖
―Can you show me what Rahul Mehta did within his session as root last week?‖
―Are you changing the Exchange Admin password inline with company policy?‖
―Have you removed hard-coded passwords from your applications?‖
PCI, SOX, Basel II & HIPAA are all
diving deeper into Privileged Accounts
18. Telecom Regulations
DOT circular (31st May 2011) states in 5.6 A (vi) c.
that
The Licensee shall keep a record of all the operation and
maintenance command logs for a period of 12 months,
which should include the actual command given, who gave
the command, when was it given and from where. For
next 24 months the same information shall be
stored/retained in a non-online mode.
19. Corporate Liability
‗43A.Where a body corporate, possessing, dealing or
handling any sensitive personal data or information in a
computer resource which it owns, controls or operates, is
negligent in implementing and maintaining
reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any
person, such body corporate shall be liable to pay
damages, not exceeding five crore rupees, by way
of compensation to the person so affected.
20. RBI Guidelines on Technology Risks
April 29, 2011, the Reserve Bank of India released the
―Guidelines on Information security, Electronic Banking,
Technology risk management and cyber frauds‖.
Close supervision of personnel with elevated
system privileges
Personnel with elevated system access privileges should
be closely supervised
21. App2App Communication
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
24. On-Demand Privileges Manager:Tightening Unix Security
Control superuser access for in-depth unix security
Manage the commands Unix admins can run with granular access control
Enforce ‗least privilege‘ - elevate to ‗root‘ only when necessary
Monitor individual superuser activity with text recording
Unified audit of superuser activity and password access
When Who What Where
25. Privileged ‗Session‘ Example ‘Session’ Example
Privileged
Company : Telco with over 100M subscribers
Regulation : Multiple
Driver : Compliance, control & monitor access to production
environment, reduce operational costs
Scope : Integrated Privileged ID and Session Management implementation
on 15,000 machines, tens of thousands of accounts.
Benefits :
Minimized security risks
• Detailed audit logging & recording – 26,000 PSM recorded
sessions within first 60 days
Met compliance goals
Reduced TCO
• Avoid performance impact of end-point logging agents – savings
of around 4% of total CPU power!
Operational efficiency
• Integrated solution with central management & unified
reporting & policies
• Improved IT work efficiency with privileged single-sign-on
26. Summary: Privileged Identity & Session Management
A comprehensive platform for isolating and preemptively
protecting your datacenter – whether on premise or in the
cloud
Discover all privileged accounts across datacenter
Manage and secure every credential
Enforce policies for usage
Record and monitor privileged activities
React and comply
Integrate with IDAM
29. Policies
Privileged ID Management Policy & Procedures
Privileged ID allocation – process of the approval mechanism
for it
Privileged ID periodic review – procedure for this
Monitoring of privileged ID activities – mechanisms, and
procedures for logging and monitoring privileged IDs
Revocation of a privileged ID – what happens when an
Administrator leaves the organization?
How are vendor-supplied user IDs managed
Managing shared/generic privileged IDs
30. Take Aways
Privileged IDs represent the highest risk for data leakage
in the organization
Such IDs are numerous due to the large number of
systems and devices in any network
Managing the access of these IDs and monitoring their
activities is of crucial importance!
Technology solutions such as Privileged Identity
Management make this task easier
But these need to be combined with the right policy
framework and comprehensive procedures