Who will guard the guards? K. K. Mookhey Principal Consultant Network Intelligence India Pvt. Ltd.
Speaker Introduction Founder & Principal Consultant Network Intelligence Institute of Information Security Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
Agenda Ground-level Realities Compliance & Regulations Case Study of Privileged Identity Challenges Solutions Policy Process Technology
Ground Level Realities How sys admins really operate!
What happened at RSA?
SQL Server to Enterprise 0wned! Entry Point – 172.16.1.36 Vulnerability -> SQL Server Default username and password Username: sa Password: password
Privilege Escalation on the Network Using the Administrator account logon to other machines Login to the domain server was not possible Check for Impersonating Users
The Insider Threat No. 1 security concern of large companies is… THE INSIDER THREAT (IDC Analyst Group)86% of the insiders held technical positions (CERT)90% of them were granted system administrators orprivileged system access when hired (CERT)64% used remote access (CERT)50% of those people were no longer supposedto have this privileged access(Source: Carnegie Mellon, DOD)92% of all the insiders attacked following a negativework-related event like termination, dispute, etc. (CERT)
Compliance and RegulationCurrent Audit Questions around Privileged Accounts: “Can you prove that you are protecting access to key accounts?” “Who is acting as System Administrator for this activity?” “Can you prove that Rahul Mehta’s access to the netAdmin ID was properly approved?” “Can you show me what Rahul Mehta did within his session as root last week?” “Are you changing the Exchange Admin password inline with company policy?” “Have you removed hard-coded passwords from your applications?” PCI, SOX, Basel II & HIPAA are all diving deeper into Privileged Accounts
Telecom Regulations DOT circular (31st May 2011) states in 5.6 A (vi) c. that The Licensee shall keep a record of all the operation and maintenance command logs for a period of 12 months, which should include the actual command given, who gave the command, when was it given and from where. For next 24 months the same information shall be stored/retained in a non-online mode.
Other Regulations RBI Guidelines on Technology Risks IT Act Notifications – April 2011
What are Privileged Accounts?Acct Type Scope Used by Used forElevated • Personal Accounts • Privileged operations elevated permissions • IT staffPersonal Accts • Access to sensitive – JSmith_admin(SUPM) – SUDO informationShared Highly Powerful •• Emergency • IT staff • Administrator • System Admins • UNIX root Fire-call • Network Admins Difficult to Control,DBAsPrivilegedAccounts • Manage & Monitor • Cisco Enable • Oracle SYS • Disaster recovery • Privileged operations • Help Desk, etc(SAPM) Usage is Not ••‘Personalized’sensitive • Local Administrators Developers • ERP admin Legacy Apps • Access to information Pose Devastating Risk if Misused • Applications • Hard-Coded, and • ScriptsApplication • Online database access Embedded Application • Windows ServicesAccounts • Batch processing IDs • Scheduled Tasks(AIM) • App-2-App communication • Service Accounts • Batch jobs, etc • Developers
The Scope of the Problem...“Most organizations have more privileged accounts than personal accounts” (Sally Hudson, IDC) Typical use case - mid-size company IT profile: ~10,000 employees 8,000+ desktops/laptops 200 Windows servers 10 Windows domains 500 Unix/Linux servers 20 WebSphere/Weblogic/Jboss/Tomcat servers 100 Oracle/DB2/Sqlserver databases 50 Cisco/Juniper/Nortel routers and switches 20 firewalls 1,000 application accounts 150 Emergency and break-glass accounts
App2App Communication• App2App interaction requires an authentication process – Calling application needs to send credentials to target application• Common use cases – Applications and Scripts connecting to databases – 3rd Party Products accessing network resources – Job Scheduling – Application Server Connection Pools – Distributed Computing Centers – Application Encryption Key Management – ATM, Kiosks, etc.
Summary: Privileged Identity & Session ManagementA comprehensive platform for isolating and preemptivelyprotecting your datacenter – whether on premise or in thecloud Discover all privileged accounts across datacenter Manage and secure every credential Enforce policies for usage Record and monitor privileged activities React and comply Integrate with IDAM
Policies Privileged ID Management Policy & Procedures Privileged ID allocation – process of the approval mechanism for it Privileged ID periodic review – procedure for this Monitoring of privileged ID activities – mechanisms, and procedures for logging and monitoring privileged IDs Revocation of a privileged ID – what happens when an Administrator leaves the organization? How are vendor-supplied user IDs managed Managing shared/generic privileged IDs
Thank you!Questions / QueriesK. K. MOOKHEYkkmookhey@niiconsulting.comNETWORK INTELLIGENCE INDIA PVT. LTD.www.niiconsulting.com