Upload
beyondtrust
View
391
Download
0
Embed Size (px)
Citation preview
Derek A. Smith C/CISO, CISSPFellow at the National Cybersecurity Institute at Excelsior
College/Government IT Program Manager
Password Management for Medium to
Large Organizations: Guidance for IT
Security Policy and Network Infrastructure
Design Decisions
Insider Threat – Analysis and Countermeasures 2
Introduction
Today we focus on how medium to large
organizations decision makers can best
manage user passwords.
Insider Threat – Analysis and Countermeasures 3
Password Management
Password Protection: The front line of defense against intruders is the password system. Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following ways:
Insider Threat – Analysis and Countermeasures 4
Why organizations still use passwords
Passwords are cheap
Some credentials can only be used on
compatible devices
Other credentials + passwords create
stronger authentication.
Legacy applications still need passwords
Insider Threat – Analysis and Countermeasures 5
Deploying passwords for user
authentication
Insider Threat – Analysis and Countermeasures 6
How passwords are compromised
Devices may be compromised
Users write them down or share them
Passwords can be guessed
Passwords may be stored in plaintext
Passwords can be readily converted back
to plaintext
Insider Threat – Analysis and Countermeasures 7
Password management and human
limitations
Users are people, not machines, so their
ability to securely manage passwords is
inherently limited.
Insider Threat – Analysis and Countermeasures 8
Password Strength Guidance
One of the weaknesses of passwords is
that they can be guessed
Attackers can use tools to brute-force
passwords
L0phtCrack: http://www.l0phtcrack.com/ for
Windows.
John the Ripper:
http://www.openwall.com/john/ for Windows,
Mac OS X or Linux.
Insider Threat – Analysis and Countermeasures 9
Password Strength Guidance Cont.
Users should pick hard-to-guess
passwords
Users should choose their passwords from
the widest possible set of characters
Insider Threat – Analysis and Countermeasures 10
Password Strength Guidance Cont.
To ensure that the search space is sufficiently large:
Passwords must be at least seven characters long.
Passwords must contain at least one lowercase letter, at least
one uppercase letter and at least one digit.
If technically possible, passwords must contain at least one
punctuation mark, so long as there are many (10 or more)
available punctuation marks.
To eliminate trivial passwords, passwords should not:
Contain the user’s name or login ID.
Contain a dictionary word, in any language that users can
reasonably be expected to know.
More than two paired letters (e.g. abbcdde is valid, but abbbcdd
is not).
Insider Threat – Analysis and Countermeasures 11
Password management in a Global
Society
Global organizations speak a variety of
languages. Users around the world needs
to enforce a password policy that makes
sense for all of them Some best practices follow from this:
1. Encourage or require users to restrict their passwords to Latin
characters, both for compatibility and to avoid input methods
which display the characters users type.
2. Do use a dictionary lookup to ensure that new passwords are
hard to guess, and do include dictionaries of non-English words
represented in Latin character sets (e.g., Pinyin, etc.).
Insider Threat – Analysis and Countermeasures 12
Password reuse
Change them regularly
common rule - force users to change every 60
or 90 days.
Users should not reuse old passwords
Enforce a password rule that limits the
number of password changes that a user
can make
Insider Threat – Analysis and Countermeasures 13
Password secrecy
Users frequently behave in ways that lead
to password disclosure
A comprehensive password policy should
explicitly forbid these behaviors
User friendly password management tools
and processes should be provided.
Use password synchronization and single
sign-on.
Insider Threat – Analysis and Countermeasures 14
Detecting and locking out intruders
Systems can detect repeated attempts to
sign into an account with incorrect
passwords Best practice is to combine several intruder lockout-
related policies:
Apply only to regular users
A compensating control
Apply a high threshold before triggering an intruder lockout
Automatically clear lockouts after a short while
Insider Threat – Analysis and Countermeasures 15
Encrypting passwords: Protecting
passwords in transit and at rest.
It is generally not safe to trust the
physical security of the
communication path between a user’s
device and the systems the user
signs into
Use protocol level encryption
Use IPsec where an application does
not support network-level encryption
Insider Threat – Analysis and Countermeasures 16
Password synchronization pros and cons
Synchronization reduces security:
If a single system is very insecure, then compromising that
system will give an attacker the passwords
for every other system which uses synchronized passwords.
This weakness is avoided by minimizing the use of such systems
and requiring that users employ
unsynchronized passwords on such weak systems.
Synchronization improves security:
Users with many passwords have trouble remembering them
and consequently tend to write them
down. System security is reduced to the security of a piece of
paper, a note on the user’s phone, etc.
– i.e., close to zero.
Insider Threat – Analysis and Countermeasures 17
Password synchronization pros and cons
cont.
To mitigate the risk follow these
guidelines:
Exclude insecure systems
Change synchronized passwords
regularly
Force users to choose strong (hard to
guess) passwords.
Insider Threat – Analysis and Countermeasures 18
Single sign-on pros and cons
Single sign-on (SSO) is any technology
that replaces multiple, independent login
prompts with a consolidated authentication
process, so that users don’t have to
repeatedly sign in.
Insider Threat – Analysis and Countermeasures 19
The help desk process for forgotten and
locked out passwords
The help desk process
Security challenges
Mitigating controls
User authentication
Insider Threat – Analysis and Countermeasures 20
The challenges of password management
and mobile devices
BYOD challenges
1. Connectivity
2. Cached passwords
BYOD opportunities
Insider Threat – Analysis and Countermeasures 21
What Are Privileged Accounts?
Administrative
Accounts
Owned by the system:• Not owned by any person
or “identity”
Shared Predefined:• UNIX root• Cisco enable• DBA accounts• Windows domain• Etc.
Application
Accounts
Hard-coded, embedded:• Resource (DB) IDs• Generic IDs• Batch jobs• Testing Scripts• Application IDs
Service Accounts:• Windows Service Accounts• Scheduled Tasks
Personal
Computer
Accounts
Windows Local administrator:• Desktops• Laptops
Shared:• Help Desk• Fire-call• Operations• Emergency• Legacy applications• Developer accounts
Insider Threat – Analysis and Countermeasures 22
Privilege account common practices and
risks
Common practices:
Storage: Excel spreadsheets, physical safes, sticky notes, locked
drawers, memorizing, hard coded in applications and services
Resets: Handled by designated IT members, call centers, mostly
manual
Known to: IT staff, network operations, help desk, desktop support,
developers
Common problems:
Widely known, no accountability
Unchanged passwords
Lost passwords
Same password across multiple systems
Simplistic passwords – easy to remember
Passwords not available when needed
Insider Threat – Analysis and Countermeasures 23
Privilege account key business drivers
Regulatory Compliance (Sarbanes Oxley, PCI, BS7799 etc.) Auditing and Reporting
Control
Segregation of Duties
Proactive Improvement of Information Security Practices Lost and Risk prevention
Return on Investment
Administrative Password Management
Internal Breach
Return On Investment Efficiency and Productivity
Insider Threat – Analysis and Countermeasures 24
Privilege account business and technical
requirement consideration
Exceptionally secure solution for the keys of the kingdom
Supreme performance, availability and disaster recovery
due to its mission-critical nature
Flexible distributed architecture to fit the enterprise
complex network topology
Single standard solution for a multi-facet problem
Intuitive and robust interfaces
PowerBroker Password
Safe v6.2
Martin Cannard – Product Manager
PAM – A collection of best practices
AD Bridge Privilege
Delegation
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected ResourcesUser authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe applianceHTTPS RDP / SSH
RDP / SSH
Password
SafeProxyProxy
Privileged Session Management
All actions are indexed
and searchable, along
with any keystrokes
recorded.
Clicking on an action will
immediately jump you to
that index point of the
recording. Timestamps
may optionally be
displayed, as well as
toggling between showing
keystrokes only, or
keystrokes plus actions.
Privileged Session Management
Differentiator:
Adaptive Workflow Control
Adaptive Workflow Control
• Day
• Date
• Time
• Who
• What
• Where
Differentiator:
Controlling Application Access
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
Differentiator:
Reporting & Analytics
Actionable Reporting
Advanced Threat Analytics
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester
DEMO
Poll
Q&AThank you for attending!