Password Management for Medium to Large Organizations

Derek A. Smith C/CISO, CISSPFellow at the National Cybersecurity Institute at Excelsior

College/Government IT Program Manager

Password Management for Medium to

Large Organizations: Guidance for IT

Security Policy and Network Infrastructure

Design Decisions

Insider Threat – Analysis and Countermeasures 2

Introduction

Today we focus on how medium to large

organizations decision makers can best

manage user passwords.


Password Management

Password Protection: The front line of defense against intruders is the password system. Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following ways:


Why organizations still use passwords

Passwords are cheap

Some credentials can only be used on

compatible devices

Other credentials + passwords create

stronger authentication.

Legacy applications still need passwords


Deploying passwords for user

authentication


How passwords are compromised

Devices may be compromised

Users write them down or share them

Passwords can be guessed

Passwords may be stored in plaintext

Passwords can be readily converted back

to plaintext


Password management and human

limitations

Users are people, not machines, so their

ability to securely manage passwords is

inherently limited.


Password Strength Guidance

One of the weaknesses of passwords is

that they can be guessed

Attackers can use tools to brute-force

passwords

L0phtCrack: http://www.l0phtcrack.com/ for

Windows.

John the Ripper:

http://www.openwall.com/john/ for Windows,

Mac OS X or Linux.


Password Strength Guidance Cont.

Users should pick hard-to-guess

passwords

Users should choose their passwords from

the widest possible set of characters


Password Strength Guidance Cont.

To ensure that the search space is sufficiently large:

Passwords must be at least seven characters long.

Passwords must contain at least one lowercase letter, at least

one uppercase letter and at least one digit.

If technically possible, passwords must contain at least one

punctuation mark, so long as there are many (10 or more)

available punctuation marks.

To eliminate trivial passwords, passwords should not:

Contain the user’s name or login ID.

Contain a dictionary word, in any language that users can

reasonably be expected to know.

More than two paired letters (e.g. abbcdde is valid, but abbbcdd

is not).


Password management in a Global

Society

Global organizations speak a variety of

languages. Users around the world needs

to enforce a password policy that makes

sense for all of them Some best practices follow from this:

1. Encourage or require users to restrict their passwords to Latin

characters, both for compatibility and to avoid input methods

which display the characters users type.

2. Do use a dictionary lookup to ensure that new passwords are

hard to guess, and do include dictionaries of non-English words

represented in Latin character sets (e.g., Pinyin, etc.).


Password reuse

Change them regularly

common rule - force users to change every 60

or 90 days.

Users should not reuse old passwords

Enforce a password rule that limits the

number of password changes that a user

can make


Password secrecy

Users frequently behave in ways that lead

to password disclosure

A comprehensive password policy should

explicitly forbid these behaviors

User friendly password management tools

and processes should be provided.

Use password synchronization and single

sign-on.


Detecting and locking out intruders

Systems can detect repeated attempts to

sign into an account with incorrect

passwords Best practice is to combine several intruder lockout-

related policies:

Apply only to regular users

A compensating control

Apply a high threshold before triggering an intruder lockout

Automatically clear lockouts after a short while


Encrypting passwords: Protecting

passwords in transit and at rest.

It is generally not safe to trust the

physical security of the

communication path between a user’s

device and the systems the user

signs into

Use protocol level encryption

Use IPsec where an application does

not support network-level encryption


Password synchronization pros and cons

Synchronization reduces security:

If a single system is very insecure, then compromising that

system will give an attacker the passwords

for every other system which uses synchronized passwords.

This weakness is avoided by minimizing the use of such systems

and requiring that users employ

unsynchronized passwords on such weak systems.

Synchronization improves security:

Users with many passwords have trouble remembering them

and consequently tend to write them

down. System security is reduced to the security of a piece of

paper, a note on the user’s phone, etc.

– i.e., close to zero.


Password synchronization pros and cons

cont.

To mitigate the risk follow these

guidelines:

Exclude insecure systems

Change synchronized passwords

regularly

Force users to choose strong (hard to

guess) passwords.


Single sign-on pros and cons

Single sign-on (SSO) is any technology

that replaces multiple, independent login

prompts with a consolidated authentication

process, so that users don’t have to

repeatedly sign in.


The help desk process for forgotten and

locked out passwords

The help desk process

Security challenges

Mitigating controls

User authentication


The challenges of password management

and mobile devices

BYOD challenges

1. Connectivity

2. Cached passwords

BYOD opportunities


What Are Privileged Accounts?

Administrative

Accounts

Owned by the system:• Not owned by any person

or “identity”

Shared Predefined:• UNIX root• Cisco enable• DBA accounts• Windows domain• Etc.

Application

Accounts

Hard-coded, embedded:• Resource (DB) IDs• Generic IDs• Batch jobs• Testing Scripts• Application IDs

Service Accounts:• Windows Service Accounts• Scheduled Tasks

Personal

Computer

Accounts

Windows Local administrator:• Desktops• Laptops

Shared:• Help Desk• Fire-call• Operations• Emergency• Legacy applications• Developer accounts


Privilege account common practices and

risks

Common practices:

Storage: Excel spreadsheets, physical safes, sticky notes, locked

drawers, memorizing, hard coded in applications and services

Resets: Handled by designated IT members, call centers, mostly

manual

Known to: IT staff, network operations, help desk, desktop support,

developers

Common problems:

Widely known, no accountability

Unchanged passwords

Lost passwords

Same password across multiple systems

Simplistic passwords – easy to remember

Passwords not available when needed


Privilege account key business drivers

Regulatory Compliance (Sarbanes Oxley, PCI, BS7799 etc.) Auditing and Reporting

Control

Segregation of Duties

Proactive Improvement of Information Security Practices Lost and Risk prevention

Return on Investment

Administrative Password Management

Internal Breach

Return On Investment Efficiency and Productivity


Privilege account business and technical

requirement consideration

Exceptionally secure solution for the keys of the kingdom

Supreme performance, availability and disaster recovery

due to its mission-critical nature

Flexible distributed architecture to fit the enterprise

complex network topology

Single standard solution for a multi-facet problem

Intuitive and robust interfaces

PowerBroker Password

Safe v6.2

Martin Cannard – Product Manager

PAM – A collection of best practices

AD Bridge Privilege

Delegation

Session

Management

Use AD credentials to access

Unix/Linux hosts Once the user is logged on,

manage what they can do

Managed list of resources the user is

authorized to access. Gateway proxy

capability. Audit of all session activity

Password & SSH

Key Management

Automate the management of functional account

passwords and SSH keys

Comprehensive Security Management

► Secure and automate the process for managing privileged account passwords and keys

► Control how people, services, applications and scripts access managed credentials

► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password

► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail

► Alert in real-time as passwords, and keys are released, and session activity is started

► Monitor session activity in real-time, and immediately lock/terminate suspicious activity

Privileged Password Management

People Services A2A

Privileged

Session

Management

SSH Key

Management

Native desktop tool (MSTSC/PuTTY etc.) connects

to Password Safe which proxies connection through

to requested resource

Protected ResourcesUser authenticates to Password Safe and requests

session to protected resource

RDP/SSH session is proxied through the Password

Safe applianceHTTPS RDP / SSH

RDP / SSH

Password

SafeProxyProxy

Privileged Session Management

All actions are indexed

and searchable, along

with any keystrokes

recorded.

Clicking on an action will

immediately jump you to

that index point of the

recording. Timestamps

may optionally be

displayed, as well as

toggling between showing

keystrokes only, or

keystrokes plus actions.

Privileged Session Management

Differentiator:

Adaptive Workflow Control

Adaptive Workflow Control

• Day

• Date

• Time

• Who

• What

• Where

Differentiator:

Controlling Application Access

Automatic Login to ESXi example

Browser

RDP Client

ESXRDP (4489) RDP (3389)

User selects vSphere application

and credentials

vSphere RemoteApp

CredentialCheckout

Credential Management

UserStore

Session Recording / Logging

HTTPS

Automatic Login to Unix/Linux Applications

Typical Use Cases

• Jump host in DMZ

• Menu-driven Apps

• Backup Scripts

• Role-based Apps

Browser

RDP Client

SSH (22) SSH (22)

User selects SSH application and

credentials

SSH Application

CredentialCheckout

Session Recording / Logging

HTTPS

Differentiator:

Reporting & Analytics

Actionable Reporting

Advanced Threat Analytics

What makes Password Safe different?

• Adaptive workflow control to evaluate and intelligently route based on

the who, what, where, and when of the request

• Full network scanning capabilities with built-in auto-onboard capabilities

• Integrated data warehouse and analytics capability

• Smart Rules for building permission sets dynamically according to data

pulled back from scans

• Session management / live monitoring at NO ADDITIONAL COST

• Clean, uncluttered, and intuitive HTML5 interface for end users

Market Validation

• Leader: Forrester PIM Wave, Q3 2016

− Top-ranked Current Offering (product) among all 10

vendors reviewed

− “BeyondTrust excels with its privileged session

management capabilities.”

− “BeyondTrust […] provides the machine learning and

predictive behavior analytics capabilities.”

• Leadership

− Gartner: “BeyondTrust is a representative vendor for all

five key PAM solution categories.”

− OVUM: “BeyondTrust […] provides an integrated, one-

stop approach to PAM… one of only a small band of

PAM providers offering end-to-end coverage.”

− SC Magazine: “Recommended product.”

− … and more from IDC, KuppingerCole, TechNavio, 451Research,

Frost & Sullivan and Forrester

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=AL7FutS0XddNZM&tbnid=0u7MM9nPHQXbFM:&ved=0CAgQjRwwAA&url=http://cloudtimes.org/2012/12/14/gartner-cloud-security-predictions-for-2013/&ei=I_gMUqHbKMWkyAGNtoGoBw&psig=AFQjCNEzsJ2_35M7v5OTzi66xhe_gpt5OQ&ust=1376668067707282

DEMO

Poll

Q&AThank you for attending!

Software

Password Management for Medium to Large Organizations