degli Accessi Privilegiati Quali le Best Practice? Denis ...€¦ · Malicious ActiveX controls...

© Hitachi Systems CBT S.p.A. 2015. All rights reserved.

07/04/2016

Denis Valter Cassinerio

Security BU Director

& Sales North Director

®

Gestione e Controllo

degli Accessi Privilegiati

Quali le Best Practice?


Le fonti d’attacco

Hacktivist Collaboratori

diretti

Associazioni criminali

Ex

lavoratori

Provider di

servizio IT

Competitor

Interne Esterne

Lavoratori

attuali

Campione : 124 rispondenti

Survey Osservatori Politecnico


ATTACK SURFACE

3

© Hitachi Systems CBT S.p.A. 2015. All rights reserved. 4

Reconnaissance Weaponization Delivery Backdoor Lateral Movement Data Collection Exfiltrate

Intrusion kill Chain

Research,

identification and

selection of

targets, often

represented as

crawling internet

websites such

as conference

proceeedings

and mailing lists

for email

adresses, social

relationships, or

information on

specific

technologies

Coupling a

remote access

trojan with an

exploit into a

deliverable

payload,

typically by

means of an

automated tool.

Increasingly,

client application

data file such as

Adove PDF or

Ms Office Docs

serve as the

weaponized

deliverable.

Transmission of

the weapon to

the targeted

environment

using vectors

like email

attachments,

websites, and

USB removable

media

After the

weapon is

delivered to

victim host,

exploitation

triggers

intruders’ code.

Most often,

exploitation

tergets an

application or

operating

system

vulnerability

Installation of a

remote access

trojan or

backdoor on the

victim system

allows the

adversary to

mantain

persistance

inside the

environment

And esclate

privileges

Tipically,

compromised

hosts must

beacon

outbound to an

internet

controller server

to establish a

C&C channel

Only now, after

progressing

through the first

six phases, can

intruders take

actions to

achieve their

original

objectives.

Typically this

objective is data

exfiltration which

involves

collecting,

encrypting and

extracting

information from

the victim

environment

DETECT DENY DISRUPT DEGRADE DECEIVE DESTROY

CAMPAIGN ANALYSIS – TOOLS, TECHNIQUES AND PROCEDURES

LEVERAGE; DISCOVER; ANALYZE ATOMIC, COMPUTED AND BEHAVIOR INDICATORS

Understand a CYBER ATTACK


PRIVILEGED ACCOUNT - Definition

5

What is a Privileged Account?

Privileged accounts are valid credentials used to gain access to systems. The difference is that they also provide elevated, non-restrictive access to the underlying

platform that non-privileged user accounts don’t have access too.

These accounts are designed to be used by sysadmins to deploy and manage IT technology, like operating systems, network devices, applications and more.

They are the proverbial keys to the infrastructure – which is why attackers or malicious insiders seek to steal them.

They basically provide access to just about everything. We use the term ‘privileged account’ interchangeably, but here are the most

common privileged accounts found across an environment:


PRIVILEGED ACCOUNTS – Who & What

6

1 - Local Administrative Accounts: These non-personal accounts provide administrative access to the local host.

2- Privileged User Accounts These are credentials that give administrative

privileges on one or more systems.

3 - Domain Administrative Accounts These accounts give privileged administrative access across all workstations and servers within a Windows domain.

5 - Service Accounts These can be privileged local or domain accounts that are used by an application or service to interact with the operating system

4 - Emergency Accounts These provide unprivileged users with administrative access to secure systems in the

case of an emergency

6 – Application Accounts These are accounts used by applications to access databases, run batch jobs or scripts, or provide access to other applications.


USER with ADMIN RIGHTS can …

7

Change System Configurations

Install & start services Stop existing Services (such as the firewall)

Disable / Unisnstall anti-virus Cause code to run once logs on that systems

Render the machine unbootable Replace OS and other prog files with Trojans

Install Malware

Kernel- mode root kits

System Level Key Loggers

Malicious ActiveX controls

Spyware / Adware

Malware to facilitate pass-the-hash

exploits

Access and Change Accounts

Create and Modify User Accounts

Reset local passwords

Access Data belonging to other users


IDENTITY «Matters» …IAM vs PAM

8

Rrenm Perinmeter Layer

Remote Employees

Consumers

Users from

others Orgs

Extended Perimeter

Perimeter Layer

Control Layer

Identity & Access

Management

Policy

Management

Integrated

Directory

Environment

Security

Management

Departmental

Environmemt Resource Layer


ACCESS MANAGEMENT : The Reality

9

END USERS

ADMINISTRATORS

AUDIT/COMPLIANCE

Too many IDs

Too many end-user requests

Difficult or unreliable ways

to syncs all the accounts

Orphaned accounts

Limited or no audit capability

Where are the audit trails?

Too many IDs

Too many passwords

Must way for access to

applications


BALANCE between SECURITY & OPERATIONS

10

PC Uncontrolled Granular admin Rights Mgmt PC Completely

Locked Down

Unstable PC Costly level

2/3 Support

Open gate to intruders

High Frequency of Installation Requests

And admin actions to end users

productivity


GET FOCUSED ON «PAM»

11

PRIVILEGED ACCOUNT MANAGEMENT

Protect what matter even with Insider Threats

Ensure Compliance

Improving IT Reliability and Reduce Costs

Enable Secure Path to Applications and Cloud

Don’t Analyze everything

Analyze the «Right Thing»

MAP Normal Behaviour

Impeding Lateral Movements

Identifiy Breach

Avoid Data Breach


PAM SECURITY DRIVERS

COMPLIANCE

Common Standards L.196, L.231, ISO 27001, HIPAA, SOX, PCI DSS…

New Challenges

• DATA PROTECTION OFFICER

• AVOID DATA BREACH

• DETECT & ALERT

• FORENSICS

Compliance + Controls

Identify + Processes

Proactive

Investigate


IT SECURITY DRIVERS

COMPLIANCE

Direttiva 263 / 285

• Conservare e gestire centralmente le utenze privilegiate presenti sui sistemi e sulle

applicazioni

• Eliminare la conoscenza delle utente privilegiate impersonali da parte dei sistemisti

e gestori delle applicazioni

• Garantire l’accesso e l’uso delle credenziali solo quando necessario sulla base di

criteri di autorizzazione, segregazione, minimo privilegio

• Far eseguire in modalità controllata comandi di intere sessioni agli utenti.

• Separare il provisioning dalla utenze (IAM) dal controllo del loro utilizzo

• Controllare l’utilizzo delle credenziali privilegiate da parte del personale (interno o

fornitori) e le azioni eseguite attraverso log, registrazioni video e report

• Conservare i log in repository cifrati e inalterati


BEST PRACTICES – Based on Level of Maturity

14

Inventory & Reduce Number of Privileged Accounts

Prohibit standard User Accounts from having privileged access

Create a Process for on and off boarding employees that have Privileged

Account Access

Eliminate the Practice of Accounts that have non expiring passwords

Store Password Securely

Automatically change privileged account passwords on a 30 or 60 day cycle.

Utilize one-time passwords, which are passwords that are valid for only one login

session or transaction.

Implement session recording for key assets, servers and third party access.

Eliminate the option of interactive (human) login for service accounts.

Implement a process to change hard-coded or embedded passwords for scripts

and service accounts.

Implement focused auditing on the use of administrative privileged functions

and monitor for anomalous behavior.



15

Use automated tools to disable inactive privileged accounts

Use multifactor authentication for all administrative access, including domain

administrative access

Implement automated password verification and reconciliation to ensure that the

passwords of record are current on all systems.

Regularly change and verify hardcoded passwords embedded in applications.

Deploy a solution that provides the ability to directly connect to a target system without

displaying the password to the user.

Implement a gateway to eliminate privileged users directly accessing sensitive assets

in the IT infrastructure

Implement a request workflow for credential access approval including dual-controls and

integration with helpdesk ticketing systems.

Implement session recording for all privileged access.

Proactively detect malicious behavior.



16

Ensure, to the best of the organization’s ability, all actions using

shared administrative accounts can be attributed to a specific

individual.


WHERE TO START FROM

17

• Discover where your

privileged accounts

exist

• Clearly assess

privileged account

security risks

• Identify all privileged

passwords, SSH keys,

and password hashes

• Collect reliable and

comprehensive audit

information


CYBER THREATS JUST AHEAD

18

TOP 3 CYBER THREATS

Facing organisation in 2016

52% Social Engineering 40% Insider Threats 39% Advanced Persistent

Threats

Source: ISACA’S Jan2016 CYBERSECURITY, SNAPSHOT, GLOBAL DATA


SECURITY BU – The Right «Partner»

SOLUTIONS

SERVICES

CONSULTING

GOVERNANCE

Compliance

Professional

Services

Technology

Cyber Security

Managed

Security

Services

Superior service empowered by combining the strength of our people and information technology.

degli Accessi Privilegiati Quali le Best Practice? Denis ...€¦ · Malicious ActiveX controls...

Documents

Transcript of degli Accessi Privilegiati Quali le Best Practice? Denis ...€¦ · Malicious ActiveX controls...