By: Prof. Lili SaghafiDean Continuing EducationJan. 15th , 2013The Threat Within:Zero Trust Access Control
Agenda privileged insider risk RISKS Firesheep Awareness Zero Trust Access Control
Privileged insider risk privileged insider risk, organizations areaddressing it with what’s called the―least privilege‖ approach — one withreal merit but significant limitations formodern enterprises. LECTURES
―least privilege‖ To adequately address the privilegedinsider risk in today’s environment,companies must go several stepsbeyond least privilege to a level wecall ―Zero Trust.‖
Protecting your data In protecting your data you’ve investedconsiderable time and resources intofirewalls, IDS/IPS, malware detection andnumerous Other security measures. That’s how you keep the bad! Guys out,right-
protecting your data Well, not exactly. Because all of the border defenses in theuniverse can’t provide a shred of protectionagainst what could amount to yourenterprise’s most formidable threat: thevery people you’ve entrusted to runand manage these systems.
―privileged insiders.‖ ―keys to the kingdom‖ level ―privileged insiders.‖ good people can lapse into bad routines They may : use the same administrative passwords for years, store them in unprotected spreadsheets and otherdocuments share them too freely. Or perhaps a busy senior administrator willquickly grant a new hire ―keys to the store‖ whenlimited access would have sufficed.
―privileged insiders.‖ In fact, some servers and network deviceshave just a single administrative account. So granting “all-or-nothing” access maybe the only option. And with the rise in the 24/7 mobilementality, a system admin working remotelyat a coffee shop can innocently exposeID/password information by using an insecurewireless connection.
General things that you should do You should browse only, meaning, do not go to any site that wouldrequire you to use a password or log in. Get the network information for a free Wi-Fi connection, from thecompany itself. And, make sure to log on to the network as printed onthe businesses Wi-Fi ad or handout. Do not pick a network out of the available wireless connections list,without ensuring that it is the actual Wi-Fi network of a business. Consider researching options for a hotspot shield. Hotspot shields aredesigned to hide the IP address while protecting you from potentialhackers. Enable secure browsing. Make sure the URL address starts with"httpS://" -- the "S" stands for secure.
You should know Things can go bad quickly. Especially when these adversaries cantake advantage of the treasure trove ofinformation shared in social media tolaunch highly focused spear-phishingattacks, targeting privileged insiders andsnatching up precious administratorcredentials Vishing, Smishing60 minutes program
Firesheep: Easiest way to hack overan unsecured network Firesheep is an application developed justto demonstrate the session hijacking orsidejacking vulnerability over anunsecured network. Now the question is,how does that works out for us?Interesting?
Firesheep When we logon to a social network accountsuch as facebook, orkut, etc. or any mailaccounts such as gmail on an unsecurednetwork, the issue arises where we canlogin into anyone’s account over thatnetwork. Just install Firesheep, that comes as amozilla addon, restart the firefox browser,go to view tab, then on sidebars, selectFiresheep.
Firesheep The Firesheep sidebar appears to the left ofthe browser. Click on start capturing button,we see the usernames and accounts ofeveryone logged in to specific accounts onthat particular unsecured network as shownbelow:
Firesheep The moment you click on any one of theresults listed, you get redirected to thatparticular account of that particular user,without any sort of username and passwordauthentication. Note that this is possible in unsecurednetworks, such as unsecured Wifi’s, unlessthere is an end to end encryption of data asin HTTPS or SSL. Full protection can only come from notusing unsecured wireless networks.
Real Incidents Translate toSignificant Losses2011: A former employee at theU.S. subsidiary of Japanese pharmaShionogi plead guilty to deleting 15Business-critical VMware hostsystems, costing the company$800,000.
Real Incidents Translate toSignificant Losses• 2010: An IT employee at Bank ofAmerica admitted that he hackedthe bank’s ATMs to dispense cashwithout recording the activity.
2010: A contract programmerfired by Fannie Mae was convictedof planting malicious code intendedto destroy all data on nearly 5,000internal servers.Real Incidents Translate toSignificant Losses
2010: A Goldman Sachsprogrammer was found guilty ofstealing computer code for highfrequency trading from theinvestment bank when he left tojoin a startup.Real Incidents Translate toSignificant Losses
2010: A Utah computercontractor pleaded guilty tostealing about $2 million from fourcredit unions for which he worked.Real Incidents Translate toSignificant Losses
How? An admin already has privileged access. He knows the network. He can avoid existing security controls,or access network and security systemsto cover his tracks.
When the inevitable breach occurs, yourealize the extent of exposurecreated by : easy access, excessive privileges and poorly protected credentials.
How? And because you don’t have firmcontrol over who went where and whatexactly each person did, it’s nearlyimpossible to find who was responsibleand how the damage was done. This is not mere theory. Both regulators and auditors are takingnotice.
Insider threats WikiLeaks served as a clarion call, exposingthe immense dangers of ―insider threats.‖ As a result, many regulators are updatingrequirements and auditors are scrutinizingsecurity programs to identify this importantrisk. They certainly don’t want the equivalent of aWikiLeaks scandal to unfold under theirwatch, and are willing to hand out stiffpenalties for compliance violations.
insider threats HIPAA violations can cost up to $50,000each. Fines for PCI non-compliance (PaymentCard Industry (PCI) compliant ) cantotal up to $100,000 per month.
What’s at risk- ―Forty-two percent of respondents say the risk toorganizations caused by the insecurity of privilegeaccess users will increase over the next 12 to 24months and 42 percent say it will stay the same. Cloud-based applications, virtualization and regulationsor industry mandates are the primary reasons for thisbelief.‖Source: December 2012 PonemonInstitute Study: Insecurity of PrivilegedUsers: Global Survey of IT Practitioners.
privileged insider privileged insider are granted elevatedrights and privileges They can go rogue, or inadvertentlylapse into patterns that createvulnerabilities. Hackers target these individuals andtheir credentials to gain access tocritical systems.
There are three key vulnerabilities to consider:Over-privileged users Some individuals have more access andauthority than what’s necessary to performtheir duties. As administrators move on from project toproject, they typically collect new permissionsas they go, often without relinquishingcredentials from past projects. Sometimes their accounts remain active evenafter they’ve left the organization or finisheda contract.
Unprotected privileged account credentials. Manyorganizations have not taken adequate steps to protect privilegedaccount credentials, such as user IDs and passwords. Individuals and teams store them in unencrypted files andexchange them in email and chat sessions. In addition to the unprotected privileged user credentials, manylarge enterprises have hundreds or even thousands ofunprotected passwords in applications. Such credentials enable one system to communicate andexchange data with other applications or databases. And these passwords are often placed directly into source codeand scripts or stored in clear text in configuration files.
Shared administrative accounts. When multiple individuals usethe same admin account, you really have two problems rolledinto one. Since these credentials are shared, they’re typically changedinfrequently. if multiple admins use the same account, everyone using theaccount is effectively ―anonymous,‖ since there is no reliableway to know who was logged on when or what they did. This can be a really sticky issue. Some older servers andnetwork and security devices support only a single “admin”account. In other cases, where the technology enables multipleadministrative accounts, the issue can be the cost andcomplexity of setting up and managing policies formultiple accounts, especially across a range of devicesand operating systems.
Beyond these vulnerabilities, there are other importantdynamics that figure into the risk equation, creating a perfectstorm: First, it’s important to remember that privileged insiders are notjust your employees. The use of third parties — outsourcers, contractors, consultants, vendors and the like — has emerged asa mainstay of the modern enterprise for cost andbusiness agility reasons.
Virtualization and cloud and mobile computing further complicatethe picture. With virtualization, the sheer number of nodes to bemanaged and secured makes it difficult to maintain control. It establishes a much larger ―attack surface area.‖ Virtualservers operate in a dynamic environment where they are spunup rapidly and generally don’t receive the same level of studyas their physical cousins. These virtual nodes can be targets themselves, or jump-offpoints for additional penetration into the network.
THE CHALLENGES OF CLOUDCOMPUTING A plethora of new mobile devices(smartphones and tablets), combinedwith everywhere network availability,generates more challenges Let’s not forget about the human factor All of these factors have fundamentallyeroded the concept of ―perimeterdefenses‖ and have changed the trustmodel forever.
When “Least Privilege” Isn’t Enough―Least privilege (a.k.a. minimalprivilege) access control is anexcellent start … But leastprivilege is only a first step.‖
It dictates that any specific user/module/process/program isallowed to access solely the systems/data required for itslegitimate purposes. You may recall the DAPE principle: Deny All Permit byException. Best practices for privileged access control from Gartner andother IT analysts include the minimization of accounts, limitationof scope, restriction of privileges and use of risk-appropriateauthentication. The least-privilege principle also accounts for what authorizedparties can do on these systems (for example, limiting thecommands that they can run). But least privilege is only a first step.
―Zero Trust.‖ Advanced set of access controls Zero Trust access control includes all of the components of leastprivilege, but extends far beyond. To be clear, least privilege asa model serves as a great starting point. But it alone is notenough. It was not designed with the modern nature of threat in mind. It cannot account for the complexities stemming from mobility,virtualization, the cloud and the ―new perimeter.‖ Zero Trust does. Zero Trust expands on the least-privilegeconcept to include a full range of controls, like monitoring,alerting and session recording. The extra Zero Trust controlsminimize risk and ensure that organizations are well protectedand able to detect insider threats. Zero Trust also ensures that they can respond rapidly whenissues arise, armed with information that’s essential to fullyinvestigate breaches.
Eight Pillars of Zero Trust1. Control Access2. Protect and manage passwords3. Prevent anonymous activity onshared accounts4. Contain users5. Control commands6. Record sessions7. Log everything8. Alert for policy violations
1. Control Access Limiting access is a fundamental tenetof the least privilege principle To meet Zero Trust standard, theaccess-control mechanism must hidenodes that are not explicitlyincluded in an individual or groupaccess policy.
2. Protect and managepasswords. administrative-level passwords need to be stored in an encryptedvault and remain encrypted when traversing the network. Thisapplies to credentials for ―privileged users‖ and those used inapplication-to-application or application-to-database scenarios. Policies for the creating, updating and decommissioning ofpasswords must be enforced and the system must supportmulti-factor authentication prior to releasing passwords. To meet the Zero Trust benchmark, the system must alsoinitiate privileged sessions without users seeing or knowing anactual password. Of course there are emergency ―break-glass‖ situations in whichpasswords need to be known, so the system must also be ableto issue single-use or time-limited credentials in such situations.
3. Prevent anonymousactivity on sharedaccounts. For Zero Trust, link a shared, privileged admin account (like―root‖ or ―su‖ or ―admin‖) to the specific person using it. As previously indicated, older systems will often have only oneadmin account. But even with newer technology, many large enterprises chooseto minimize the number of active administrative accountsbecause of the overhead costs of managing them. Regardless of the setup, you must know exactly whologged on to a shared account and what exactly he or she did while on it.
― Areas where organizations most need to improveinclude: monitoring privileged users’ access whenentering administrative root level access,understanding privileged users entitlements thatviolate policy and enforcing access policies in aconsistent fashion across all information resourcesin an organization.‖
4. Contain users. Containing users remains an important aspect of comprehensive accesscontrol. If users are able to ―leapfrog‖ from a device for which they havebeen granted access to another device for which they have not, thenaccess control is really only first-system access control. Windows environments, for example, make leapfrogging incredibly easywith RDP hopping (Remote Desktop Protocol Vulnerability). Those of you that rely solely on RDP for remote administration, withoutrequiring VPN (Virtual Private Network )access, should patch immediately orfind another way to handle remote access. If TCP port 3389 is exposed to theInternet, you should really do something about this Controlling leapfrogging is one half of Zero Trust containment; vaultingand never letting users view passwords is the other. So even if a user gains logical or physical access to a device by goingaround the technical-access controls, he or she won’t have thepassword for entry.
5. Control commands. Limiting access and containing usersisn’t enough. You also must control what can bedone once an individual logs into asystem. Zero Trust mandates the limiting ofcommands that can be executed to onlythose that are necessary.
6. Record sessions. Recording sessions will establishdocumentation of systems control. As Gartner notes, ―The ability tomonitor privileged account activity isessential to a privileged account activitymanagement (PAAM) solution. Monitoringis what proves the effectiveness of thecontrols used to manage theseaccounts.‖
7. Log everything. Granular logging of everything includes the logging of allinteractions privileged users have with a system (as they goabout their network and database management tasks, forexample). However, it also includes logging any interactions that a superuser has with the system providing Zero Trust (e.g., creating,reading or updating policies; viewing recorded sessions; etc.). This degree of awareness ensures that the organizationhas everything it needs to prove compliance and producethe forensic data required to fully investigate issues.
8. Alert for policyviolations. Considering the sheer quantity of events that modernsecurity operations centers have to deal with, theZero Trust system must raise a red flag whensomething bad may be occurring. Despite enormous improvements in log managementand SIEM (Security information and event management)systems, it remains very difficult for systems todetect anomalous behavior by those with privilegedaccounts. So proactive alerting that is tied to policy violationsserves as a critically important detection mechanism.
Zero Trust in theEnterprise Large organizations have uniquerequirements that must be met in orderfor a Zero Trust access control solutionto be viable in their complexenvironments. Reliability, Availability and Scalability. Low Total Cost of Ownership (TCO). Wide Platform Support Integration.
The Bottom Line: The imposing nature of privileged insider threats,combined with rapidly changing business andtechnology dynamics, has placed enterprise networksand data at significant risk. Many organizations are revisiting the concept of leastprivilege. And while least privilege is an excellentstarting point, it simply falls short. Zero Trust access control builds on the least-privilegeconcept by identifying eight essential capabilitiesrequired to adequately protect organizations from theelevated insider risk that large enterprises withmodern IT systems face.
Did you get it ? Or you want me to repeat? lol
CURRENT INDUSTRYTERMS: Gartner – Privileged Account Activity Management (PAAM), including: Super User Privilege Management (SUPM) Shared Account Password Management (SAPM) Application-to-Application Password Management (AAPM) IDC – Privileged Identity Management (PIM) Forrester – Privileged User Management (PUM)
References www.xceedium.com Security information and event management, Wikipedia Gartner ,the worlds leading information technology research andadvisory company http://www.gartner.com/technology/why_gartner.jsp Comodo Unite , allows users to easily create a secure and encryptedvirtual private network (VPNs) between groups of computers. Microsoft Patch Tuesday, March 2012: Beware the RDPs ofMarch
Thank you for beinggreat audienceAnyQuestion?51 Prof. Lili Saghafi