Download The Three Phases of Securing Privileged Accounts – A Best Practice

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts

Electronic authentication wikipedia , lookup

Transcript 
The Three Phases of Securing
Privileged Accounts:
A Best Practices Guide
Table of Contents
Privileged Accounts, What are They?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Types of Privileged Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
Securing Privileged Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Manual Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
Privileged Account Security Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Baseline Solution Maturity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Medium Effective Maturity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
Highly Effective Maturity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Privileged Accounts, What are They?
Privileged accounts are exploited every day by advanced and insider attacks to steal billions of dollars’ worth of sensitive
information. Correspondingly, security frameworks such as the Council on Cyber Security Top 20 Critical Security Controls,
NIST and others have always maintained the importance of protecting, managing and monitoring privileged accounts. There
is wide agreement across the security industry that these accounts represent the keys to a company’s digital kingdom. So,
what are they and what are some best practices an organization can employ to avoid becoming a victim?
Privileged accounts, like regular user accounts, have a valid set of credentials used to gain access to a particular system or
systems on a given network. The difference, however, is that privileged account credentials provide elevated, non-restrictive
access to the underlying platform that non-privileged user accounts don’t have access too. These accounts are designed to
be used by system administrators to manage or troubleshoot network systems, run services, or allow applications to
communicate with one another. The downside is that these same credentials, which are used to help keep the business
operating, can easily be used by attackers or malicious insiders to cause significant damage to the network and organization.
Types of Privileged Accounts
Privileged accounts exist in many forms across an enterprise environment and typically double or triple the number of
employees in volume. All of them, however, pose significant security risks if not protected, managed and monitored. The
types of privileged accounts typically found across an enterprise environment include:
Local Administrative Accounts are non-personal accounts which provide administrative access to the local host or
instance only. Local admin accounts are routinely used by the IT staff to perform maintenance on workstations, servers,
network devices, databases, mainframes etc. Often, they have the same password across an entire platform or organization
for ease of use. This shared password across thousands of hosts makes for a soft target that advanced threats routinely
exploit.
Privileged User Accounts are named credentials which have been granted administrative privileges on one or more
systems. This is typically one of the most common forms of privileged account access granted on an enterprise network,
allowing users to have administrative rights on, for example, their local desktops or across the systems they manage. Often
these accounts have unique and complex passwords, and the power they wield across managed systems makes it
necessary to continuously monitor their use.
Domain Administrative Accounts have privileged administrative access across all workstations and servers within the
domain. While these accounts are few in number, they provide the most extensive and robust access across the network.
With complete control over all domain controllers and the ability to modify the membership of every administrative account
within the domain, a compromise of these credentials is often a worst case scenario for any organization.
Emergency Accounts provide unprivileged users with administrative access to secure systems in the case of an emergency
and are sometimes referred to as ‘firecall’ or ‘breakglass’ accounts. While access to these accounts typically requires
managerial approval for security reasons, it is usually a manual process that is inefficient and lacks any auditability.
Service Accounts can be privileged local or domain accounts that are used by an application or service to interact with the
operating system. In some cases, these service accounts have domain administrative privileges depending on the
requirements of the application they are being used for. Local service accounts can interact with a variety of Windows
components which makes coordinating password changes difficult. Active Directory or domain service account password
changes can be even more challenging as they require coordination across multiple systems. This challenge often leads to a
common practice of rarely changing service account passwords which represents a significant risk across an enterprise.
Application Accounts are accounts used by applications to access databases, run batch jobs or scripts, or provide access
to other applications. These privileged accounts usually have broad access to underlying company information that resides
in applications and databases. Passwords for these accounts are often embedded and stored in unencrypted text files, a
vulnerability that is replicated across multiple servers to provide greater fault tolerance for applications. This vulnerability
represents a significant risk to an organization because the applications often host the exact data that APTs are targeting.
©Cyber-Ark Software, Ltd | cyberark.com
3
Securing Privileged Accounts
The lack of accountability and protection of privileged accounts in corporate networks is the vulnerability most often exploited
by advanced and insider threats, and the benefits of securing privileged accounts cannot be underestimated. Regardless of
resources available, there are practical solutions for every organization with every budget. Best practices solutions range from
manual processes to incrementally improve security to automated enterprise solutions that provide analytics and best in class
security. This paper presents the various options organizations have when securing privileged accounts.
Manual Protection
While ultimately it is better than doing nothing, manually protecting, managing, and monitoring privileged accounts can be a
tedious, time consuming, and resource draining process. Large organizations will find it nearly impossible to manually audit
the thousands of privileged accounts on a daily basis. Also, manual solutions will be minimally effective for organizations of
any size due to the limitations of scaling, auditing and reporting. Highly regulated environments that comply with HIPPA, SOX,
PCI and other mandates require an auditability that will stress even the most elegant manual solution. In addition, manual
analysis and alerting can be prone to human error and the consequences of failure can result in millions of dollars spent in
incident response, recovery, and lost productivity. While better than nothing, protecting privileged accounts through manual
auditing is the least mature and least effective of all solutions available.
Privileged Account Security Solutions
Mid and large-size organizations will get very little return on investment when manually trying to manage privileged identities.
Therefore, these organizations will find it is more efficient and ultimately effective to purchase and manage their own
privileged account security solution or contract a managed service to provide a solution. Enterprise solutions that protect,
manage, and monitor privileged users, sessions, and applications while integrating with existing security investments such as
Security Information and Event Management (SIEM) solutions provide the best value for large organizations.
Whichever route is decided upon, taking a staged approach and increasing the security of the solution over time is
recommended. For companies with no privileged account security solution in place, the task of securing these critical
accounts can be overwhelming. There are, however, solutions available that enable rollout in a phased and organized
manner. Implementing the optimal solution for the organization and continuing to monitor and make improvements as the
business environment changes ensures an organization can stay one step ahead of advanced and internal threats.
©Cyber-Ark Software, Ltd | cyberark.com
4
Best Practices
Organizations can control and protect privileged accounts through use of the best practices listed below. Many of these
practices require only process changes, while others may involve tools or solutions to implement. To help you determine
which actions give you the most benefit we have grouped them by maturity level.
Baseline Solution Maturity
Inventory and reduce the number of privileged accounts in your organization.
Knowing how many accounts are present in the environment and where they are is a critical first step in making
informed risk decisions and protecting the accounts. Once inventoried, privileged accounts should be reviewed and
unnecessary accounts should be deleted to reduce the overall number of accounts requiring management.
Prohibit standard user accounts from having privileged access.
Utilizing separate accounts for general and administrative use enables organizations to identify misuse or abuse of
privileged accounts. In addition, enforcing least privilege is a significant step an organization can take towards
improving the security of their network environment.
Create a process for on- and off-boarding employees that have privileged account access.
Employees should understand the responsibility that comes with privileged access and be trained in existing corporate
policies before administrative access is granted. Access should routinely be reviewed to ensure privileged access is still
required. The off-boarding process should include disabling all employee privileged accounts and changing passwords
to any shared accounts the employee had access too.
Eliminate the practice of accounts that have non-expiring passwords.
Passwords should be changed on a regular schedule to reduce their vulnerability to password cracking tools and
password sharing between employees.
Store passwords securely.
It is imperative that organizations store their privileged passwords in the most secure, encrypted vaulting system
available. The use of envelopes, binders, spreadsheets, flat files, etc. for the storage of privileged account information
should be eliminated.
Ensure, to the best of the organization’s ability, all actions using shared administrative accounts can be
attributed to a specific individual.
Shared credentials should be completely eliminated. If that is not possible, the ability to enforce and audit individual
accountability is required.
©Cyber-Ark Software, Ltd | cyberark.com
5
Medium Effective Maturity
Automatically change privileged account passwords on a 30 or 60 day cycle.
Privileged passwords should be systematically changed on a regular schedule and should be complex, difficult to
guess, and unique among accounts. Password policies, however, should not be so complex in that it encourages bad
behavior such as writing down passwords.
Utilize one-time passwords, which are passwords that are valid for only one login session or transaction.
Frequently changing passwords, as frequently as after every use, makes them much harder and therefore more
expensive for the attacker and significantly mitigates risk of attack.
Implement session recording for key assets, servers and third party access.
Monitor and record privileged account actions for key assets, servers and access by third parties.
Eliminate the option of interactive (human) login for service accounts.
Allowing service accounts to be used interactively presents a significant vulnerability that can be eliminated with
relative ease once an inventory of accounts is established.
Implement a process to change hard-coded or embedded passwords for scripts and service accounts.
Without proper processes in place, changing hardcoded passwords can easily break something in the infrastructure.
An automated system to change embedded passwords in scripts and service accounts can increase security without
introducing risk.
Implement focused auditing on the use of administrative privileged functions and monitor for anomalous
behavior.
Logging all user activity and generating alerts on unusual behavior provides additional information on privileged
account access and use. Integrating with the security teams can help to dramatically reduce the speed of reviews
and investigations of potential incidents and/or violations.
©Cyber-Ark Software, Ltd | cyberark.com
6
Highly Effective Maturity
Use automated tools to disable inactive privileged accounts.
Privileged account security across the enterprise is difficult and prone to human error. Relying on manual solutions and
institutional knowledge is better than doing nothing but automation is far more effective.
Use multifactor authentication for all administrative access, including domain administrative access.
While not foolproof, this additional layer of security makes privileged identities a harder target for advanced threats.
Many platforms (such as legacy network devices or business applications) may not support multi-factor authentication.
Deploying a privileged account security solution with support for multifactor authentication eliminates the need to
support multifactor authentication natively to target devices.
Implement automated password verification and reconciliation to ensure that the passwords of record are current
on all systems.
Automation is critical when managing privileged identities; new accounts are constantly created and deleted, requiring
an automated systems to manage and verify passwords.
Regularly change and verify hardcoded passwords embedded in applications.
Auditing of all accounts and implementing automated management of application credentials enables organizations to
achieve regular password rotation without introducing risk. Until application accounts are managed, organizations will
not truly be able to manage the risk associated with all privileged accounts in their infrastructure.
Deploy a solution that provides the ability to directly connect to a target system without displaying the password
to the user.
Preventing the disclosure of privileged passwords to the end user adds an additional layer of security and reduces
maintenance overhead of shared accounts while improving the end-user experience.
Implement a gateway to eliminate privileged users directly accessing sensitive assets in the IT infrastructure.
A gateway between the end-user and sensitive assets limits the network exposure to such malware and keeps privileged
credentials off of administrative endpoints and desktops.
Implement a request workflow for credential access approval including dual-controls and integration with
helpdesk ticketing systems.
Dual-controls processes provide the checks and balances needed to prevent malicious insiders from exploiting their
privileged accounts and lays out clear auditability of user access.
Implement session recording for all privileged access.
Require all privileged account actions to be recorded with session recording and video playback for forensic analysis and
change management review.
Proactively detect malicious behavior.
A solution to monitor, detect and alert on anomalous privileged user behavior is a critical layer in a best-in-class
privileged accounts security strategy.
©Cyber-Ark Software, Ltd | cyberark.com
7
Conclusion
Attackers exploit valid credentials and/or privileged accounts 100% of the time. With those kinds of statistics, it is
hard to imagine companies still turn a blind eye. The cost of doing nothing is routinely displayed in the endless
stream of reports detailing yet another compromise in companies large and small around the globe. Every industry in
every sector of the economy is susceptible to the risk of having their own privileged accounts exploited.
As organizations look to implement a solution to proactively protect and monitor privileged accounts, it is important
to evaluate the business need against the options available and determine the optimal solution based on best
practices. The process of securing privileged accounts should be on-going with continuous evaluation and
adjustments to improve security as the business and threat landscape changes.
©Cyber-Ark Software, Ltd | cyberark.com
8
Related documents
LEGAL AND ETHICAL RESPONSIBILITIES
LEGAL AND ETHICAL RESPONSIBILITIES
Operating Systems 4
Operating Systems 4
Anthropogenic Climate Change –Connections to
Anthropogenic Climate Change –Connections to
test selection
test selection
2. Acceptance
2. Acceptance
climate and tech fix
climate and tech fix
PPT
PPT
Legal and Ethical Issues in Health Care
Legal and Ethical Issues in Health Care
CPM Supported Device - Inter
CPM Supported Device - Inter
Topic1_2
Topic1_2