Title: Dont be a victim of I'Ts Dirty Little Secret Assessing and minimising the risk of highly privileged
1Dont be a victim of I.Ts Dirty Little
SecretAssessing and minimising the risk of
highly privileged accounts
- Mark Fullbrook
- Director UK Ireland
2Why should you be concerned?
- Highest level of control and access God
Accounts - Unauditable because of their generic nature
- Historically provided to tech-savvy employees
- High level of password re-use within companies
But its all about trust, right?
3What do the facts say?
- In a survey run at Infosecurity Europe over the
last three years....... - An average of 33 of respondents who claimed to
have some level of privileged access, answered
yes to the question - Have you ever used your administrative
privileges to access data that was NOT relevant
to your role? - On average over 80 of respondents said they
would take company sensitive information with
them when they left the company - In a recent Verizon survey, 57 of breaches were
discovered to be either carried out by internal
users or partner organisations with privileged
access. - A recent Ponemon Institute research paper,
claimed that 97 of respondents believed that the
most likely source of a data breach would be
either - A negligent insider
- An outsourcing partner
- A malicious insider
4What is an privileged Identity?
Administrative Accounts
- Shared
- Help Desk
- Fire-call
- Operations
- Emergency
- Legacy applications
- Developer accounts
Application Accounts
Personal Computer Accounts
5- So you need an effective strategy.....
6(No Transcript)
7The Three areas to address
- Storing the passwords
- Passwords should be stored in a safe, auditable
environment - Passwords should be INDIVIDUALLY stored Users
should only be able to see the passwords relevant
to THEIR role - Passwords should be safe from administrator view
- Changing the passwords
- Passwords should not be used on multiple systems
- Passwords should be changed regularly according
to the importance of the system - Passwords should ALWAYS be changed when staff
leave or change roles Think Soc-Gen - Auditing the user
- Users should have access only via a controlled
environment - Multiple levels of authentication should be used
on specific highly secure accounts including DUAL
authentication
BUT IT MUSTNT INHIBIT PRODUCTIVITY!
8The two choices for any company
- A Physical Vault and Nnvelope process -
Breakglass - Strong controllable environment
- Single Key Holder provides the keys to the
kingdom - Envelope Procedure provides auditable trail of
who had what password - Allows immediate resetting of password when
envelope is returned - A Digital Vaulting solution
- Strong Controllable environment
- Provides security for obfuscation of data from
those not authorised to see it - Integrates with existing systems to ensure that
process does not inhibit productivity - Provides complete control over WHO, WHY and WHEN
- Easy Password Reset
- Potential expansion to include Session Recording
9Digital Vault The Concept
10The Patented Vaulting Technology
- Digital Vaults are based on Cyber-Arks Patented
Vaulting Technology - Securing data from end-to-end using multiple
security layers. - Highly secured regardless of overall network
security
Vault Safes (Local Drive or SAN)
Manual Geographical Security
Access Control
Auditing (Visual Security)
Authentication
Firewall
Session Encryption
File Encryption
Cyber-Ark Vault Server
11Enterprise Class Architecture
Vault SDK (C, C, Java, .NET andmulti-platform
CLI)
Users and Administrators
HA Vault
Vault
Enterprise Authentication
DR Vault
E-mail
Enterprise Directory
Enterprise Backup
Enterprise Monitoring and Remote Control
12Enterprise Password Vault Concept of Operation
tops3cr3t
password1
tops3cr3t
tops3cr3t
psw4adm
orac1e
tops3cr3t
orac1e
Ty3p0L
Qom3a
O8pltzZ
Iu1_at_r
mN85pa
nc7Sd3R
O9aziA
lzM6t1
j7t5QdC
Ty3p0L
Qom3a
O8pltzZ
Iu1_at_r
mN85pa
nc7Sd3R
O9aziA
lzM6t1
j7t5QdC
iaX3f!
P9ib
0in7x
cqg8_at_fz
cqg8_at_fz
0in7x
P9ib
iaX3f!
lm7yT5w
lm7yT5w
iIt8sa
iIt8sa
o70XjJ
Log5t
x8wF2
yOb2_at_1
o70XjJ
Log5t
x8wF2
yOb2_at_1
gvIna9
R73m-
R73m-
gvIna9
O8pltzZ
orac1e
Servers
O8pltzZ
password1
Vault
password2
IT personnel
password3
password4
password5
Databases
password6
! ! CSTRING IS ORACLE USER/PASS SO DETERMINE
! THE PASSWORD ! IF P1.EQS. "TEST" THEN PW
"password1" IF P1.EQS. "PPRD" THEN PW
"password2" IF P1.EQS. "QUAL" THEN PW
"password3" IF P1.EQS. "CONV" THEN PW
"password4" IF P1.EQS. "TRNG" THEN PW
"password5 " IF P1.EQS. "PROD" THEN PW
"password6" CSTRING "FIMSUSR/''PW'" !
SQLPLUS 'CSTRING _at_FINPLUSFORAPPL.SQL 'P1
! ! CSTRING IS ORACLE USER/PASS SO DETERMINE
! THE PASSWORD ! IF P1.EQS. "TEST" THEN PW
getPassword(TEST) IF P1.EQS. "PPRD" THEN PW
getPassword(PPRD) IF P1.EQS. "QUAL" THEN PW
getPassword(QUAL) IF P1.EQS. "CONV" THEN PW
getPassword(CONV) IF P1.EQS. "TRNG" THEN PW
getPassword(TRNG) IF P1.EQS. "PROD" THEN PW
getPassword(PROD) CSTRING
"FIMSUSR/''PW'" ! SQLPLUS 'CSTRING
_at_FINPLUSFORAPPL.SQL 'P1
psw4adm
psw4adm
Application
psw4adm
PCs
13Q A
14450 Enterprise Customer
Banking
Pharmaceutical
Financial
Govt/F1000
15Thank You!