Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be More Efficient


Published on

Catch the full webinar at:

In this presentation from his webinar, InfoSec expert consultant and CISO, Chris Ray, shares his experiences for identifying the potential pitfalls both Unix Administrators and Security teams face when managing user accounts across multiple Unix environments.

Tune in to get insights into:
•Regulatory requirements to watch for;
•What works and what doesn’t work with “sudo”;
•Strategies to lessen the audit impact to Unix administrators; and
•Tips for getting executive buy-in for what you need fixed.

Published in: Software
  • Be the first to comment

Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be More Efficient

  1. 1. M A N A G I N G U N I X A C C O U N T S I N T O D A Y ’ S C O M P L E X W O R L D – S T O P T H E S H A D O W I T A N D B E M O R E E F F I C I E N T B Y C H R I S R AY, C I S S P - I S S M P 1
  2. 2. TABLE OF CONTENTS • State of the Union • IAM –What the Industry Requires • Defense in Depth Model • IAM Evolution • Scenario I – User Account Management • Scenario II – Server Management • Scenario III – Audit Madness! • Getting Executive Buy-In • Summary 2
  3. 3. STATE OF THE UNION – INTERNET OF THINGS (OR “THINGIFICATION”) 3 1. 50 to 200 billion connected devices by 2020 “Number of connected devices worldwide will rise from 15 billion today to 50 billion by 2020.” - Cisco 2. $1.7 trillion in spending by 2020 “Global spending on IoT devices & services will rise from $656 billion in 2014 to $1.7 trillion in 2020.” - IDC 3. The $79 billion smart-home industry “Smart-home industry generated $79.4 billion in revenue in 2014 and is expected to rise substantially as mainstream awareness of smart appliances rises.” - Harbor Research & Postscapes 4. 90% of cars will be connected by 2020 “By 2020, 90% of cars will be online, compared with just 2% in 2012 supporting in-car infotainment, autonomous-driving, and embedded OS markets” - Telefonica 5. 173.4 million wearable devices by 2019 “Global wearable device shipments will surge from 76.1 million in 2015 to 173.4 million units by 2019.” - IDC The wearables market will connect to the smart-home and connected-car markets and open the doors to new automation solutions. Cars can be unlocked, started, or even summoned by a smartwatch. Wearables can also be used to open smart-home locks, automatically turn lights on and off, and communicate remotely with smart appliances. Chart source:
  4. 4. State of the Union – Information Security AfterVerizon breach,1.5 million customer records put up for sale Verizon Enterprise's security expertise gets put to the test. by Jon Brodkin - Mar 24, 2016 3:58pm CDT 4
  5. 5. IAM – REGULATION REQUIREMENTS FOR UNIX ADMINS PR.AC-1: Identities and credentials are managed for authorized devices and users • CCS CSC 16 • COBIT 5 DSS05.04,DSS06.03 • ISA 62443-2-1:2009 • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 • ISO/IEC 27001:2013A.9.2.1,A.9.2.2,A.9.2.4, A.9.3.1,A.9.4.2,A.9.4.3 • NIST SP 800-53 Rev. 4 AC-2, IA Family • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C ), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii),164.312(d) PR.AC-4:Access permissions are managed, incorporating the principles of least privilege and separation of duties • CCS CSC 12, 15 • ISA 62443-2-1:2009 • ISA 62443-3-3:2013 SR 2.1 • ISO/IEC 27001:2013A.6.1.2,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4 • NIST SP 800-53 Rev. 4 AC-2,AC-3,AC-5,AC6,AC-16 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b),164.312(a)(1),164.312(a)(2)(i),164.312(a)(2)(ii) PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access • COBIT 5 DSS05.04 • ISA 62443-2-1:2009,,, • ISO/IEC 27001:2013A.11.2.4,A.15.1.1,A.15.2.1 • NIST SP 800-53 Rev. 4 MA-4 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3)(ii)(A),164.310(d)(1), 164.310(d)(2)(ii),164.310(d)(2)(iii), 164.312(a), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b),164.312(d),164.312(e),164.308(a)(1)(ii)(D) DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events • ISA 62443-3-3:2013 SR 6.2 • ISO/IEC 27001:2013A.12.4.1 • NIST SP 800-53 Rev. 4 AC-2,AU-12,AU-13, CA-7, CM-10, CM-11 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C),164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) 5
  6. 6. Payment Card Industry, Data Security Standards (PCI-DSS) 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data. 8.1.3 Immediately revoke access for any terminated users. 10.2.2Verify all actions taken by any individual with root or administrative privileges are logged. 10.2.5.aVerify use of identification and authentication mechanisms is logged. 10.2.5.bVerify all elevation of privileges is logged. 10.2.5.cVerify all changes, additions, or deletions to any account with root or administrative privileges are logged. IAM – REGULATION REQUIREMENTS FOR UNIX ADMINS 6
  7. 7. DEFENSE IN DEPTH MODEL – WHERE DOES IAM FIT IN? • Model resides across all environments regardless of platform • Control challenges to focus on: – IAM Provisioning / Deprovisioning – Granular Access Controls – “Least Privilege” – Policy Enforcement – e.g Password Complexity – Logging / Auditing – Non-repudiation • What about enabling the business? 7
  8. 8. IAM PROCESS 8 Many kinds of users access these systems, including: • Employees. • Contractors. • Partners. • Vendors. • Customers. Insiders: including employees and contractors. Outsiders: including customers, partners and vendors.
  9. 9. SCENARIO I – USER ACCOUNT MANAGEMENT Scenario: When users and administrators need access to a system, a user account needs to be created on each host in order to provide system access for the user. Rights for these users accounts are not granular which gives the user more access than is needed. Privileged account passwords must be changed immediately when a person changes departments or leaves the company. Challenge: • New User Accounts (Provisioning) – How do I set up multiple user accounts for administrators and ensure ongoing consistency to main directory (e.g. Peoplesoft,Windows AD, etc.)? • Removing User Accounts (Deprovisioning) – How do I promptly remove a person’s access when they change departments or are no longer with the company? – How do I change all of my generic privileged account passwords that the person may have had knowledge of? • Authorization – How do I limit what an administrator can have access to? • Password Policy – How can I enforce the company’s password policy? Watch Out! • Excessive local accounts remain • Contractor / 3rd Party support personnel are closely managed and keep access after leaving company • Rotating passwords are practiced • Violations of “least privilege” principle 9
  10. 10. SCENARIO I – USER ACCOUNT MANAGEMENT Unix operating systems have progressed significantly through the years in regards to user account management. • “chmod 777TopSecretFile” – not recommended! – except on slot machines… • Red Hat Identity Management (IdM) – IdM even provides native integration with Active Directory. • Managing User Accounts Deploy and modify PAM (Pluggable Authentication Modules) to enforce password policy. • Solaris 11.3 - Specific extended rights can be applied to file objects, port numbers, and user IDs.These extended rights replace the set of rights that are otherwise available, except for the basic set. Remember: Implement “least privilege” not only for admins but also for partners, contractors and end users. Look at solutions that synchronize passwords across environments and provide automated provisioning and deprovisioning of accounts. 10
  11. 11. SCENARIO II – SERVER MANAGEMENT Scenario: Unix administrators must constantly connect to their servers to perform daily management tasks. Accounts require “root” level access to perform duties. Access is typically “all or none” in regards to having admin level access. Command line restrictions are not available. 11 Challenge: • Generic accounts – How do I effectively manage my servers without using generic accounts? • Remote Access – Given the problem with generic accounts like “root”, how do I manage the servers remotely if I can’t connect with “root”? • Command line – What commands can I restrict users from running? Watch Out! Avoid Non-repudiation. Don’t forget your service accounts.
  12. 12. SCENARIO II – SERVER MANAGEMENT Disable remote “root” access. • Change the root shell to prevent users from logging in directly as root, the system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file. • To prevent root logins via the SSH protocol, edit the SSH daemon's configuration file /etc/ssh/sshd_config, and change the line that reads: #PermitRootLogin yes to read as follows: PermitRootLogin no. • Use PAM. Enforce use of “sudo”: sudo <command>. • Easy to use and adds an extra layer of protection. • Audit logs of the user’s transactions are saved in /var/log/messages. • Administrator can allow different users access to specific commands based on their needs. Command line – what commands are allowed? • Restrict commands within the shell itself or via sudo configuration file, /etc/sudoers. 12
  13. 13. SCENARIO III – AUDIT MADNESS! Scenario: Internal Audit, Information Security, Customers, and Regulatory Audits constantly require evidence of controls around Unix systems. Some scripting is available for automation but most evidence collection is cumbersome and pulls Admins away from daily operations. Challenge: • Logging – How can I show the details of what happened and by whom? • Auditing – How am I collecting evidence for the constant audits? Watch out! • Physical and mental drain on Unix Operations’ teams. • Do not give audit the ability to simply run their own commands to gather evidence. 13
  14. 14. SCENARIO III – AUDIT MADNESS! Move logging to centralized server (e.g. syslog server). Script! • • operating-systems.aspx • Be proactive – collect evidence periodically (e.g. quarterly) and save for audit. • Feed into Security Information and Event Management (SIEM) solution when possible. 14
  15. 15. TIPS FOR GETTING EXECUTIVE BUY-IN Show efficiency • Time saved and resources reduced by having automated solution. • Reduce overhead associated Audit Improvements • Partner with audit (both internal and external) for evidence collection. • Reduction in audits around privileged account management. • Identity Management always hot item for Corporate Board Members. Enabling the business • Numerous business benefits for more robust Identity Management program. • ImproveTime to Market for internal and external customers. • Greatly reduce the security risk! 15
  16. 16. SUMMARY Difficult job for Unix Admins Know the audit / security requirements Find ways to automate when possible Show reduction in work time and risk 16
  17. 17. PowerBroker for Unix & Linux Control and Audit Unix and Linux User Activity
  18. 18. Helicopter View – BeyondTrust Solutions PowerBroker Auditor: Audit for Active Directory Audit for File Server Audit for MS Exchange PowerBroker Auditor: Audit for Active Directory Audit for File Server Audit for MS Exchange PowerBroker Identity Services: Single Sign On (AD Bridge) Policy Mgmt for Unix/Linux/Mac via AD PowerBroker Identity Services: Single Sign On (AD Bridge) Policy Mgmt for Unix/Linux/Mac via AD Privilege Management: PowerBroker for Windows PowerBroker for Unix / Linux PowerBroker for Mac Privilege Management: PowerBroker for Windows PowerBroker for Unix / Linux PowerBroker for Mac Password Safe: Password Management Session Management SSH Key Management Application Management Password Safe: Password Management Session Management SSH Key Management Application Management Vulnerability Management: Vulnerability Management Patch Mgmt for Adobe, Java, etc Analytic Reporting Vulnerability Management: Vulnerability Management Patch Mgmt for Adobe, Java, etc Analytic Reporting
  19. 19. PowerBroker for Unix & Linux: • Eliminates the sharing of privileged credentials and delegate permissions without exposing credentials • Tracks, logs and audits activities performed on Unix and Linux systems for compliance • System level control provides powerful file and folder controls, not just command line analysis • Extends beyond Unix and Linux platforms, helping to reduce risk across the enterprise
  20. 20. How does it work?
  21. 21. Detailed Forensics and Reporting: • Searchable Index • Scheduled Reports • Custom Reporting • Single Events Window
  22. 22. Product Demonstration
  23. 23. Quick Poll
  24. 24. Q&A Thank you for attending!