Dont be a victim of I'Ts Dirty Little Secret Assessing and minimising the risk of highly privileged

1
Dont be a victim of I.Ts Dirty Little
SecretAssessing and minimising the risk of
highly privileged accounts

• Mark Fullbrook
• Director UK Ireland

2
Why should you be concerned?

• Highest level of control and access God
  Accounts
• Unauditable because of their generic nature
• Historically provided to tech-savvy employees
• High level of password re-use within companies

But its all about trust, right?
3
What do the facts say?

• In a survey run at Infosecurity Europe over the
  last three years.......
• An average of 33 of respondents who claimed to
  have some level of privileged access, answered
  yes to the question
• Have you ever used your administrative
  privileges to access data that was NOT relevant
  to your role?
• On average over 80 of respondents said they
  would take company sensitive information with
  them when they left the company
• In a recent Verizon survey, 57 of breaches were
  discovered to be either carried out by internal
  users or partner organisations with privileged
  access.
• A recent Ponemon Institute research paper,
  claimed that 97 of respondents believed that the
  most likely source of a data breach would be
  either
• A negligent insider
• An outsourcing partner
• A malicious insider

4
What is an privileged Identity?
Administrative Accounts

• Shared
• Help Desk
• Fire-call
• Operations
• Emergency
• Legacy applications
• Developer accounts

Application Accounts
Personal Computer Accounts
5

• So you need an effective strategy.....

6
(No Transcript)
7
The Three areas to address

• Storing the passwords
• Passwords should be stored in a safe, auditable
  environment
• Passwords should be INDIVIDUALLY stored Users
  should only be able to see the passwords relevant
  to THEIR role
• Passwords should be safe from administrator view
• Changing the passwords
• Passwords should not be used on multiple systems
• Passwords should be changed regularly according
  to the importance of the system
• Passwords should ALWAYS be changed when staff
  leave or change roles Think Soc-Gen
• Auditing the user
• Users should have access only via a controlled
  environment
• Multiple levels of authentication should be used
  on specific highly secure accounts including DUAL
  authentication

BUT IT MUSTNT INHIBIT PRODUCTIVITY!
8
The two choices for any company

• A Physical Vault and Nnvelope process -
  Breakglass
• Strong controllable environment
• Single Key Holder provides the keys to the
  kingdom
• Envelope Procedure provides auditable trail of
  who had what password
• Allows immediate resetting of password when
  envelope is returned
• A Digital Vaulting solution
• Strong Controllable environment
• Provides security for obfuscation of data from
  those not authorised to see it
• Integrates with existing systems to ensure that
  process does not inhibit productivity
• Provides complete control over WHO, WHY and WHEN
• Easy Password Reset
• Potential expansion to include Session Recording

9
Digital Vault The Concept
10
The Patented Vaulting Technology

• Digital Vaults are based on Cyber-Arks Patented
  Vaulting Technology
• Securing data from end-to-end using multiple
  security layers.
• Highly secured regardless of overall network
  security

Vault Safes (Local Drive or SAN)
Manual Geographical Security
Access Control
Auditing (Visual Security)
Authentication
Firewall
Session Encryption
File Encryption
Cyber-Ark Vault Server
11
Enterprise Class Architecture
Vault SDK (C, C, Java, .NET andmulti-platform
CLI)
Users and Administrators
HA Vault
Vault
Enterprise Authentication
DR Vault
E-mail
Enterprise Directory
Enterprise Backup
Enterprise Monitoring and Remote Control
12
Enterprise Password Vault Concept of Operation
tops3cr3t
password1
tops3cr3t
tops3cr3t
psw4adm
orac1e
tops3cr3t
orac1e
Ty3p0L
Qom3a
O8pltzZ
Iu1_at_r
mN85pa
nc7Sd3R
O9aziA
lzM6t1
j7t5QdC
Ty3p0L
Qom3a
O8pltzZ
Iu1_at_r
mN85pa
nc7Sd3R
O9aziA
lzM6t1
j7t5QdC
iaX3f!
P9ib
0in7x
cqg8_at_fz
cqg8_at_fz
0in7x
P9ib
iaX3f!
lm7yT5w
lm7yT5w
iIt8sa
iIt8sa
o70XjJ
Log5t
x8wF2
yOb2_at_1
o70XjJ
Log5t
x8wF2
yOb2_at_1
gvIna9
R73m-
R73m-
gvIna9
O8pltzZ
orac1e
Servers
O8pltzZ
password1
Vault
password2
IT personnel
password3
password4
password5
Databases
password6
! ! CSTRING IS ORACLE USER/PASS SO DETERMINE
! THE PASSWORD ! IF P1.EQS. "TEST" THEN PW
"password1" IF P1.EQS. "PPRD" THEN PW
"password2" IF P1.EQS. "QUAL" THEN PW
"password3" IF P1.EQS. "CONV" THEN PW
"password4" IF P1.EQS. "TRNG" THEN PW
"password5 " IF P1.EQS. "PROD" THEN PW
"password6" CSTRING "FIMSUSR/''PW'" !
SQLPLUS 'CSTRING _at_FINPLUSFORAPPL.SQL 'P1
! ! CSTRING IS ORACLE USER/PASS SO DETERMINE
! THE PASSWORD ! IF P1.EQS. "TEST" THEN PW
getPassword(TEST) IF P1.EQS. "PPRD" THEN PW
getPassword(PPRD) IF P1.EQS. "QUAL" THEN PW
getPassword(QUAL) IF P1.EQS. "CONV" THEN PW
getPassword(CONV) IF P1.EQS. "TRNG" THEN PW
getPassword(TRNG) IF P1.EQS. "PROD" THEN PW
getPassword(PROD) CSTRING
"FIMSUSR/''PW'" ! SQLPLUS 'CSTRING
_at_FINPLUSFORAPPL.SQL 'P1
psw4adm
psw4adm
Application
psw4adm
PCs
13
Q A

• www.cyber-ark.com

14
450 Enterprise Customer
Banking
Pharmaceutical
Financial
Govt/F1000
15
Thank You!

• www.cyber-ark.com