This document discusses reducing risks through access controls, privilege management, and auditing. It begins with an agenda covering BeyondTrust, security concepts that are rarely implemented properly, high profile breaches in 2013-2014, and ways to reduce the attack surface. The document then discusses least privilege, need to know principles, and summarizes some high profile breaches. It concludes with recommendations for reducing the attack surface such as enforcing least privilege, controlling privileged access, auditing user activity, and patching vulnerabilities.

1. 0
0
Reduciendo riesgos a través de controles de
acceso, manejo de privilegios y auditoria
© 2013 BeyondTrust Software
Bruno Caseiro, CISSP, GWAPT, CEH, MCSE
Security Sales Engineer

2. 1
1
Agenda
 About Beyondtrust
 Security concepts that are rarely implemented (properly)
 High Profile Breaches in 2013 and 2014
 What we can do to reduce the attack surface?

3. 2
2
BeyondInsight IT Risk Management Platform: Capabilities
Privilege & Access Management
Internal Risk Management
• Privileged Password Management
• Shared Account Password Management
• Privileged Session Management
• Privileged Threat Analytics
• User Activity and Entitlement Auditing
• AD Bridge for UNIX/Linux and Mac
• Automated AD Recovery & Protection
Vulnerability Management
External Risk Management
• Vulnerability Management
• Regulatory Compliance Reporting
• Configuration Compliance Assessment
• Integrated Patch Management
• Endpoint Protection Agents
Reporting
& Analytics
Central Data
Warehouse
Asset
Discovery
Asset
Profiling
Asset Smart
Groups
User
Management
Workflow &
Notification
Third-Party
Integration
IT Security:
Optimize Controls
IT Risk:
Calculate Risk
Management:
Prioritize Investments
Compliance & Audit:
Produce Reports
IT Operations:
Prioritize Mitigation

4. 3
3
Security concepts rarely
implemented (properly)
© 2013 BeyondTrust Software

5. 4
4
Security concepts that are rarely implemented
Least Privilege
Least privilege requires that a user be given no more access privilege than
necessary to perform a job, task, or function.
Need to know
Should be used heavily in situations where operational secrecy is a key
concern in order to reduce the risk that someone will leak that information to
the enemy. It's a companion concept to least privilege and it defines that
minimum as a need for that access based on job or business requirements.



6. 5
5
High Profile Breaches in 2013
© 2013 BeyondTrust Software

7. 6
6
EDWARD SNOWDEN AND
THE NATIONAL SECURITY AGENCY
Edward Snowden, a contractor working as a systems
administrator for the NSA, convinced
several of his co-workers to provide him with their system
credentials, according to a report by Reuters. Snowden may
have convinced up to 25 employees at the NSA to give him
their usernames and passwords under the pretext that he
needed them to do his job.
High Profile Breaches in 2013 - NSA


8. 7
7
In a statement to CSO, a Vodafone spokes person said that a
"sophisticated and illegal intrusion into one of its servers in
Germany," and that the attack appears to have been executed by
someone inside the company. An individual has been identified
by the police, and their assets have been seized, but there was no
further information available by deadline. Speculation by local
media in Germany has pointed to a sub-contractor who worked
with the telecom giant's administration system as the key suspect.
High Profile Breaches in 2013 - Vodafone


9. 8
8
High Profile Breaches in 2013 2014 - JPMorgan


10. 9
9
High Profile Breaches in 2013 2014 - ShellShock


11. 10
10
What we can do to reduce the
attack surface?
© 2013 BeyondTrust Software

12. 11
11
How someone can get access to your systems?
They have a valid credential (username and password);
Also this valid credential must have the appropriate privileges;
They can exploit an existing vulnerability in your
system and in this case they don’t need credentials;



13. 12
12
What we can do to reduce the attack surface?
 Enforce Least Privilege across your organization;
 Control who can access each privileged account and
system in your environment;
 Audit what users are doing when they are granted privileged access.
 Audit who is accessing your data, look for anomalies,
create alerts, and fix excessive permissions;
 Changes to critical objects in AD (i.e. Domain Admins group);
 Sensitive files and folders in your systems;
 Executive or strategic mailboxes in your MS-Exchange;
 Sensitive records, tables or databases in MS-SQL, Oracle, and DB2.
 Identify if you can get compromised by external attacks
 Audit your vulnerabilities, prioritize, and fix them.

14. 13
13
How to enforce Least Privilege?
Solution: PowerBroker for Windows
© 2013 BeyondTrust Software

15. 15
15
Who have local administrators rights today?

16. 16
16
Which applications requested elevation?

17. 17
17
Assign admin rights only to approved / business
applications

18. 18
18
Session Monitoring – Audit what users are doing
after launching applications with admin rights?

19. 19
19
How to control access to
privileged accounts?
Solution: PowerBroker Password Safe
© 2013 BeyondTrust Software

20. 21
21
PowerBroker Password Safe
Manager
(Web Interface)
Password Request
Password
(Retrieved via SSH, HTTPS)
Password Request
Password
(Retrieved via API, PBPSRUN)
Login w/
Password
Login w/
Password
PowerBroker Safe
Administrator
or Auditor
(Web or CLI Interface)
User
(Web Interface)
Application
or Script
Routers /
Switches
Firewalls Windows
Servers
Unix/Linux
Servers
SSH/Telnet
Devices
IBM iSeries
Servers
IBM ZSeries
Servers
AD/LDAP
Directories
Databases
2
1
3
4
B
C

21. 22
22
Session Management

22. 24
24
Account password age – identify issues!

23. 25
25
Service Account Usage

24. 26
26
Audit your environment
Microsoft File Servers, Active Directory,
Exchange, Event Viewer;
Databases: Oracle, MSSQL, and DB2
© 2013 BeyondTrust Software

25. 27
27
Monitor any change that occurs in A.D.
User, Group, OU, Printer (deleted, changed, created, etc)
Who? When? Where? What?

26. 28
28
Protect critical objects in A.D.
Specify that in the “domain admins” group, only the user “cassio” can
make changes. Even other domain admins will not be able to change that.

27. 29
29
Audit for File Servers
Who accessed the file salary.xls in the last 30/60/90 days?
Who is really accessing/changing your critical data?
Email me if someone delete or change the file secrets.doc

28. 30
30
Audit of Events
What are the errors or security events that are happening in my servers?
You are seeing user accounts being lock out. Where it’s happening?
Would you like to get alerts when some type of events are generated?

29. 31
31
Audit for Microsoft Exchange
An email message has “disappeared”. When it happened, who deleted?
Who is reading your CEO e-mail messages? Only him? Really?
Would you like to receive an alert when if it occurs?

30. 32
32
Audit for MSSQL, Oracle, and DB2
What changes occurred in the last 24 hours?
Is there someone looking at sensitive tables like salary, credit cards, etc?
Would you like to receive an alert if a suspicious activity occurs?

31. 33
33
Audit your vulnerabilities, prioritize,
and patch them!
Solution: Retina CS – Vulnerability Mgmt
© 2013 BeyondTrust Software

32. 34
BeyondInsight Retina CS
Audit Vulnerabilities across all your IT environment

33. 35
35
Where is your risk is higher?

34. 36
36
Patch Management
- Patches for Microsoft (Windows, MSSQL, Office, etc);
- Java;
- Adobe;
- Winrar;
- Firefox, Chrome, etc

35. 37
37
Risk Matrix Reduction

36. 38
38
Challenge - You will be surprised!
 How many administrators you have in your environment
 How many service accounts you have in your environment
 Who is accessing your top 5 sensitive folders?
 If you create and add a “hacker” account to the Domain Admins group, when
people will realize that?
 Last time that the password for these devices where changed:
 Domain administrator on Windows;
 Administrator account in your MS-Windows workstations;
 Root in your Linux and Unix systems;
 Admin password for your networking devices (switches, firewall, etc);
 SA password for your MS-SQL or Sysadmin for your Oracle
 How many vulnerabilities can be exploited remotely?
 I mean, easily exploited remotely by tools already available on Internet

37. 39
39
Thank You!
Bruno Caseiro
bcaseiro@beyondtrust.com
Booth # 18
© 2013 BeyondTrust Software