Advanced Persistent Threats K. K. Mookhey Principal Consultant Network Intelligence India Pvt. Ltd.
Speaker Introduction Founder & Principal Consultant Network Intelligence Institute of Information Security Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
Agenda Ground-level Realities Compliance & Regulations Case Study of Privileged Identity Challenges Solutions Policy Process Technology
Further background… ―Fraud worries Indian outsourcing firms... Industry executives and officials at Nasscom, … say they are worried that exposés of recent incidents of fraud are damaging Indias reputation as a high-skilled, low-cost location…‖ ―Laterals attrition worrying IT biggies... some companies are now battling attrition as high as 40% among their project managers, threatening to disrupt ongoing engagements. ― ―Infosys wrestles with India IT worker turnover…the Indian outsourcing firm is wrestling with a 25 percent spike in employee attrition—the highest mark since 2004, analysts say.‖ ―In India, the average annual attrition rate in the business process outsourcing (BPO) sector hit a high of close to 50% a few years ago.‖
What are Privileged Accounts?Acct Type Scope Used by Used forElevated • Personal Accounts • Privileged operations elevated permissions • IT staffPersonal Accts • Access to sensitive – JSmith_admin(SUPM) – SUDO informationShared Highly Powerful •• Emergency • IT staff • Administrator • System Admins • UNIX root Fire-call • Network Admins Difficult to Control,DBAsPrivilegedAccounts • Manage & Monitor • Cisco Enable • Oracle SYS • Disaster recovery • Privileged operations • Help Desk, etc(SAPM) Usage is Not ••‘Personalized’sensitive • Local Administrators Developers • ERP admin Legacy Apps • Access to information Pose Devastating Risk if Misused • Applications • Hard-Coded, and • ScriptsApplication • Online database access Embedded Application • Windows ServicesAccounts • Batch processing IDs • Scheduled Tasks(AIM) • App-2-App communication • Service Accounts • Batch jobs, etc • Developers
The Insider Threat… No. 1 security concern of large companies is… THE INSIDER THREAT (IDC Analyst Group) 86% of the insiders held technical positions (CERT) 90% of them were granted system administrators or privileged system access when hired (CERT) 64% used remote access (CERT) 50% of those people were no longer supposed to have this privileged access (Source: Carnegie Mellon, DOD) 92% of all the insiders attacked following a negative work-related event like termination, dispute, etc. (CERT)
Crucial question… Quis custodiet ipsos custodies = Who will guard the guards?
How sys admins really operate!And how passwords get compromised! Ground Level Realities
SQL Server to Enterprise 0wned! Entry Point – 172.16.1.36 Vulnerability -> SQL Server Default username and password Username: sa Password: password Use xp_cmdshell to ‗net user kkm kkm /add‘ ‗net localgroup administrators kkm /add‘
Privilege Escalation on the Network Using the Administrator account logon to other machines Login to the domain server was not possible Check for Impersonating Users
The Scope of the Problem...―Most organizations have more privileged accounts than personal accounts‖ (Sally Hudson, IDC) Typical use case - mid-size company IT profile: ~10,000 employees 8,000+ desktops/laptops 200 Windows servers 10 Windows domains 500 Unix/Linux servers 20 WebSphere/Weblogic/Jboss/Tomcat servers 100 Oracle/DB2/Sqlserver databases 50 Cisco/Juniper/Nortel routers and switches 20 firewalls 1,000 application accounts 150 Emergency and break-glass accounts
Compliance and RegulationCurrent Audit Questions around Privileged Accounts: ―Can you prove that you are protecting access to key accounts?‖ ―Who is acting as System Administrator for this activity?‖ ―Can you prove that Rahul Mehta‘s access to the netAdmin ID was properly approved?‖ ―Can you show me what Rahul Mehta did within his session as root last week?‖ ―Are you changing the Exchange Admin password inline with company policy?‖ ―Have you removed hard-coded passwords from your applications?‖ PCI, SOX, Basel II & HIPAA are all diving deeper into Privileged Accounts
Telecom Regulations DOT circular (31st May 2011) states in 5.6 A (vi) c. that The Licensee shall keep a record of all the operation and maintenance command logs for a period of 12 months, which should include the actual command given, who gave the command, when was it given and from where. For next 24 months the same information shall be stored/retained in a non-online mode.
Corporate Liability ‗43A.Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages, not exceeding five crore rupees, by way of compensation to the person so affected.
RBI Guidelines on Technology Risks April 29, 2011, the Reserve Bank of India released the ―Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds‖. Close supervision of personnel with elevated system privileges Personnel with elevated system access privileges should be closely supervised
App2App Communication• App2App interaction requires an authentication process – Calling application needs to send credentials to target application• Common use cases – Applications and Scripts connecting to databases – 3rd Party Products accessing network resources – Job Scheduling – Application Server Connection Pools – Distributed Computing Centers – Application Encryption Key Management – ATM, Kiosks, etc.
On-Demand Privileges Manager:Tightening Unix Security Control superuser access for in-depth unix security Manage the commands Unix admins can run with granular access control Enforce ‗least privilege‘ - elevate to ‗root‘ only when necessary Monitor individual superuser activity with text recording Unified audit of superuser activity and password access When Who What Where
Privileged ‗Session‘ Example ‘Session’ Example Privileged Company : Telco with over 100M subscribers Regulation : Multiple Driver : Compliance, control & monitor access to production environment, reduce operational costs Scope : Integrated Privileged ID and Session Management implementation on 15,000 machines, tens of thousands of accounts. Benefits : Minimized security risks • Detailed audit logging & recording – 26,000 PSM recorded sessions within first 60 days Met compliance goals Reduced TCO • Avoid performance impact of end-point logging agents – savings of around 4% of total CPU power! Operational efficiency • Integrated solution with central management & unified reporting & policies • Improved IT work efficiency with privileged single-sign-on
Summary: Privileged Identity & Session ManagementA comprehensive platform for isolating and preemptivelyprotecting your datacenter – whether on premise or in thecloud Discover all privileged accounts across datacenter Manage and secure every credential Enforce policies for usage Record and monitor privileged activities React and comply Integrate with IDAM
Policies Privileged ID Management Policy & Procedures Privileged ID allocation – process of the approval mechanism for it Privileged ID periodic review – procedure for this Monitoring of privileged ID activities – mechanisms, and procedures for logging and monitoring privileged IDs Revocation of a privileged ID – what happens when an Administrator leaves the organization? How are vendor-supplied user IDs managed Managing shared/generic privileged IDs
Take Aways Privileged IDs represent the highest risk for data leakage in the organization Such IDs are numerous due to the large number of systems and devices in any network Managing the access of these IDs and monitoring their activities is of crucial importance! Technology solutions such as Privileged Identity Management make this task easier But these need to be combined with the right policy framework and comprehensive procedures