How to Mitigate Data Breach

by using Secured Privileged

Identity Management Solution

Presenter: Roy Tsang

Snowden case: Privileged accounts are the
master keys to corporate networks

As Snowden told: "When you're in positions of privileged

access, like a systems administrator, for these sort of
intelligence community agencies, you're exposed to a lot
more information on a broader scale than the average
employee ... Anybody in the positions of access with the
technical capabilities that I had could, you know, suck out
secrets."

By identifying and accessing privileged accounts, an unscrupulous insider can easily roam far and
wide inside an organization's network. Such accounts function, in effect, as master keys to the
deepest, most sensitive parts of an organization's digital assets.
The Privilege ID Dilemma

48% of data breaches were caused by privileged misuse

Proactively manage privileged access to prevent such attacks
Privileged ID are everywhere Data Breaches happening?
Local Admin
Root
Database
Network Switch
Security Appliance,
Applications
Service account
Your Risks & Challenges

Your Risks

Third Party Risk

(Outsourcing, Contractor, Cyber Attack
Insider Threats
Vendor)

Your Challenges

Audit & Compliance

Management,
Business User
Regaining the Control over Privileged Administrative
Accounts
Enterprise policy enforcement
Frequent Auto Change
Dual Control
One-time Password
Unique strong password
Strong Auditing
Enterprise Readiness
Long-term, secured Storage
Availability during Disaster
Recovery
Easy to deploy
Agentless
Non-Intrusive
Support extensive platforms
Comprehensive Accountability
Segregation of Duties
Exclusive Password Access
Outsourcing Control
User Activity Monitoring
Never Review the Password
Session Recording
Text Command Recording
DBA Activities
Agent-less
Application Integration Ready
Support extensive programming
language
Local Cache
Common middleware support
Protect the last stand
of our battle
Privilege Attack Vectors: Lets Start with the Simple Trial & Errors

Administrators end-point
Periodic
Passwords
Change

Servers

Periodic
Passwords
Periodic Change
passwords
Change
Once inside the network, the attacker Databases
employs various attack-vectors to
Periodic
achieve his target. Passwords
Change

Virtual Machines
Trying to use default
privileged passwords Periodic
Passwords
Change
Malicious Code

Application Servers
 Privilege Attack Vectors: Then Hijack the Administrator!
Administrators end-point

Privileged erver Privileged

irectl y to sensitive S
Connect d Session Session
Co Isolation Monitoring
nn Servers
ec Conne
to ct dire
ve c tly to s
rp ensitiv
ro e data
xy base

Databases
Malware sees
Privileged Session Manager
pixels and cannot Secure Proxy Control-Point
access the assets

Exploit vulnerable end-point to Virtual Machines

directly access core assets Session is running on an
(Malware, Key Logging, Memory Mapping) isolated secure proxy, not
on the end-point
Malicious Code

Application Servers
 Privileged Identity
Management Solution
Vulnerable Privileged Account Types
Shared Predefined: Shared: Owned by the system:
UNIX root Help Desk Not owned by any
Operations person or identity
Administrative
Administrative Cisco enable
Accounts
Accounts DBA accounts Emergency
Windows domain Legacy applications
Developer accounts
Etc.

Hard-coded, embedded: Service Accounts:

Resource (DB) IDs Windows Service Accounts
Application
Application Application / Generic IDs Scheduled Tasks
Accounts
Accounts Batch jobs COM+
Testing Scripts IIS Application Pool

Windows Local administrator:

Personal
Personal Desktops
Computer
Computer Laptops
Accounts
Accounts
Security Posture Assessment
No installation required single executable with immediate
insight to non compliant accounts

Summarized results on top of report

Detailed list of all accounts discovered and flagging

11
Protecting Administrative Accounts
System User Pass

tops3cr3t
tops3cr3t password1
Unix A root
Unix B root tops3cr3t
orac1e psw4adm
Unix C root tops3cr3t
Oracle A SYS orac1e T&y3p0L
O8=p<zZ
Qom$3#a
nc7Sd3R
mN85p:a
j7t5QdC
l+zM6t1
O9^aziA
Iu~1@r
P9i$b%
0in7$&x
cqg8@fz
lm7yT5w
iaX3f#!
Log5%t
gvIna9%
o70X#jJ
R73#m-
yOb2@1
x8wF$2
iIt$8sa PSM O8=p<zZ
Oracle B SYS orac1e Servers
O8=p<zZ
Person
al ID

System User Pass

Peter John
Oracle A TEST password1
Oracle A PPRD password2 CPM Digital Vault
Oracle A QUAL password3 Hidden Account Discovery
Oracle A CONV password4 Concise Accountability of Shared Account
Oracle A TRNG password5 Enforce Access Control
Databases
Oracle A PROD password6 Intrusion Detection

System User Pass

Desktop A Administrator psw4adm
Desktop B Administrator psw4adm
Laptop C Administrator psw4adm
PCs
Case Studies

13
Major Local Bank in Hong Kong
- Working with HKMA to implement effective PIM Solution
Business Challenges
Determine the extent to feedback to HKMA on their PIM guidelines

Scattered Privileged Accounts lack cohesive policy and process

Lacking transparency into Privileged Activities

Why Cyber-Ark? Key Benefits

Complements HKMA PIM Guidelines Improved Manageability & Security

Comprehensive and Systematic PIM Fulfills and exceeds HKMA

Solution Requirements

Manages all platforms and Privileged

IDs using a single platform

Concise Audit Trail and Reporting

BIG SIX Casino
- Meeting ISO27001 / 27002
Business Challenges
Requirement to adhere to ISO 27001 / 27002

Access Control Management is complicated to be realized

Lack means to document adherence to Standards

Tasks carried out on servers lack transparency

Why Cyber-Ark? Key Benefits

A Single Platform to manage all
Privileged Accounts to Servers,
Network Devices, etc
Implement Access Control to use the
Accounts / Passwords
Run Regular Reports to show
compliance
Concise Control of Access to
Managed Devices
Fine-grain management over who
access what and when
Comprehensive Records
Minimal Operational Overheads
SAFP of Hong Kong
- Challenges of an Managing Cloud Environment
Business Challenges
Enforcing IT Security Guide G3

Manual management operation overloaded with new cloud infrastructure

Outsourced Infrastructure cannot be controlled

Why Cyber-Ark? Key Benefits

Support extensive platform including
VMware and Cloud infrastructure
Comprehensive reporting for audit
purpose
Capability of integrating ticketing
system
Streamline IT operations
Enforcing IT Security Guide G3
requirements
Thin management over outsourced
infrastructure
Global 500 Insurance Company in China
- Challenges of hard coded application password
Business Challenges
Hard coded password in over 1000+ application

Over 50,000 Privileged IDs

Limited resource for application team

Heavy overhead to update hard coded password

Why Cyber-Ark? Key Benefits

Mature technology for Application
Smart cache to guarantee application
server performance
Proven solution among global
enterprises
Scalable solution
Extend password policy enforcement
to application
Automated password change even on
application
Standardize password policy for the
entire corporation
Securing Administrative Accounts Strategies

18
QUESTIONS?

19
THANK YOU

20
How Can I Ensure Only Trusted Applications Get The Password?

My Server

Application Provider authenticates

Requests Application by:
Credentials
Path
Application Password Signature/Hash Vault
Provider OS User
Machine Address

Cyber-Ark API

UserName = GetUsername()
Central Policy
Password = GetPassword() Manager

Host = GetAddress()
Ongoing password
ConnectDatabasechanges are transparent
Database to applications
(Host,UserName,Password)
Hard Coded Passwords A Major Vulnerability
Point
Web Config Files
Configuration Files & Websphere
Databases

Weblogic
Application Servers

JBoss
Clear-text
Windows service
INI/Text Files
UserName = app passwords
Scheduled intasks
Service Accounts Apache
Password = y7qeF$1 connection strings
IIS application pool
Tomcat
Host = 10.10.3.56 found in
ConnectDatabase(Host, UserName, Password)Security
IIS Directory
J2EE Application Serversdatasource
COM+
(Java)
Hard-Coded,
Application Databases and webconfig (IIS)
Registry
Embedded Credentials files create serious
security risks

Third Party
Applications IIS for Windows Server
Also in registry, FTP credentials and more
Eliminate Hard Coded Password

UserName = app
Password = y7qeF$1
Host = 10.10.3.56
ConnectDatabase(Host, Vault

UserName, Password)

Cyber-Ark API
UserName = GetUsername()
Password = GetPassword()
Host = GetAddress()
ConnectDatabase
(Host,UserName,Password)
Supported APIs: CLI, Java, .Net, COM, C/C++
on Windows, RHEL, SUSE Linux/zLinux, Solaris, AIX, HP-UX