It Takes All Types: Password

Management for Different

Teams and Roles

Dave Shackleford

Voodoo Security

What’s That Sucking

Sound?Passwords!!

• Passwords are a continuous source of pain for organizations

• Among the major issues, we have:

– Obnoxious password policies that are too strict

– Weak password policies that are easily broken

– Lack of centralization in password policy

– Password exposure and breaches

DBIR Stats: 2014

• Verizon cited almost 2 out of every 3 breaches involving credentials at some point in the attack campaign

• Many attackersfocused almostexclusively onuse and abuseof privilegedcredentials

DBIR Stats: 2015

• In the 2015 DBIR, Verizon noted that every single breached Point-of-Sale (POS) vendor had their credentials breached, allowing attackers to harvest credit card numbers galore.

• In addition, attackers relied less on default credentials being in place, and placed more emphasis on stolen credentials from users.

DBIR Stats: 2016

• Hacking with stolen credentials is WAY up:

DBIR Stats: 2016

• 63% of confirmed breaches involve weak,

default, or stolen credentials

2017? Security Pros Suck, Too.

Credential Misuse is a PATTERN.

• Based on these repeated series of attacks,

we’ve got years of evidence that

credential theft and misuse leads to major

breaches and exposure

• We still have issues with:

– One-factor authentication (passwords)

– Password management

– Privileged users and credentials

Credential Dumps: Ouch.

• So many in

recent years –

Yahoo, LinkedIn,

Ashley Madison,

etc.

• So these are the

“Top 10”?

• What the…?

It Takes All Types

• Passwords aren’t a “one-size-fits-all”

problem

• Many different types of teams and workers

need different password models and

policies

• Security and operations teams will need a

strategy to deal with them all

First: The “Average User”

• So, what’s an “average user”?

– No sensitive data

– No control of critical systems

– Low risk from account compromise

• These users are still important, but they

will represent our “baseline” policy

• There are several different schools of

thought on how to address these users

The “Average User” Policy

• Forget long passwords with these guys

– Seriously. They’ll write it down.

• Be reasonable in crafting a policy for these users:

– 8…(10?) characters

– Complexity…maybe?

– Rotation: Less frequently (controversial)

– 5 tries for lockout

– MFA for Remote Access

“Sensitive” Users

• Users that have sensitive job roles or

access to sensitive data,

• Likely include professionals in the

executive ranks, finance, HR, etc.

• These users need a more stringent policy

than the “average user”

• However, executives are not always

known for “password tolerance”

“Sensitive” User Password

Policies

• It turns out, size DOES matter:

“Sensitive” User Password

Policies

• Require a passphrase, maybe 12-15

characters in length.

– One way to offset this “burden” is to reduce

the password change cycle, maybe only

requiring a change once a year or so

• Reduce account lockout to 3 tries

• Push for MFA (at least for remote access)

• Increase account monitoring!

IT & Security Pros

• Yes, these special snowflakes control the

entire infrastructure

• These users need the most stringent

controls possible

• Once again, ditch complexity

– It’s stupid. Seriously.

• Go with long passphrases

– 15-20 characters is not unreasonable

IT & Security Pros

• In addition, passwords should be rotated every quarter, ideally

– This is being debated today quite a lot

• Implement a OTP system for critical system access

– This is the most effective means of implementing privileged user management

• Require a lower-privilege account for daily use

• MFA should be required for remote access

One last category: Developers

• Developers should ideally be included in “IT Pros”

– OTP should be mandatory for source code access and change

• However, we also have “application access”…

– This should ideally be very long random passwords

– Changed as often as possible

– Use a “secrets management” platform for this, too

Password Security: Detection

• Detecting credential hijack and abuse may

be difficult

• Things to look for:

– Repeated failed logins

– Authentication attempts/activity at abnormal

times

– Unusual patterns of access

– Account or system patterns of connectedness

Password Security: Response

• If credentials have been hijacked or

abused:

– Change passwords immediately

– Notify partners or any connected 3rd parties

– Look for account activity in logs

– Perform forensics and more in-depth analysis

of systems with that user activity

Conclusion

• Passwords can be a nightmare…but they’re not going anywhere soon.

• Developing a more reasonable password management scheme for various users is a smart strategy

• Ideally, you’ll also usesolutions that can bemanaged centrallyand easily

PowerBroker Password

Safe

Martin Cannard –

Product Manager

PAM – A collection of best practices

AD Bridge Privilege

Delegation

Session

Management

Use AD credentials to access

Unix/Linux hosts Once the user is logged on,

manage what they can do

Managed list of resources the user is

authorized to access. Gateway proxy

capability. Audit of all session activity

Password & SSH

Key Management

Automate the management of functional account

passwords and SSH keys

Comprehensive Security Management

► Secure and automate the process for managing privileged account passwords and keys

► Control how people, services, applications and scripts access managed credentials

► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password

► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail

► Alert in real-time as passwords, and keys are released, and session activity is started

► Monitor session activity in real-time, and immediately lock/terminate suspicious activity

Privileged Password Management

People Services A2A

Privileged

Session

Management

SSH Key

Management

Credential Injection Proxy

Native desktop tool (MSTSC/PuTTY etc.) connects

to the proxy using the session key

Protected ResourcesUser authenticates to Password Safe and requests

session to protected resource

Internal connection to host is established using

managed credentials and RDP/SSH session is

proxied through the Password Safe applianceHTTPS RDP / SSH

RDP / SSH

Password

SafeProxy

• NO creds/hostname sent to the desktop

• NO jump server required

Unique one-time session key sent down to desktop

All actions are indexed

and searchable, along

with any keystrokes

recorded.

Clicking on an action

will immediately jump

you to that index point

of the recording.

Timestamps may

optionally be

displayed, as well as

toggling between

showing keystrokes

only, or keystrokes

plus actions.

Privileged Session Recording

Differentiator:

Adaptive Workflow Control

• Time

• Day

• Date

• Where

• Who

• What

Differentiator: Adaptive Workflow Control

Mobile

Devices

Security

AppliancesDatabases

Operating

Systems

SaaS &

Cloud

Network

DevicesDirectoriesStorageSCADAMainframe

Differentiator:

Controlling Application Access

Automatic Login to ESXi example

Browser

RDP Client

ESXRDP (4489) RDP (3389)

User selects vSphere application

and credentials

vSphere RemoteApp

CredentialCheckout

Credential Management

UserStore

Session Recording / Logging

HTTPS

Automatic Login to Unix/Linux Applications

Typical Use Cases

• Jump host in DMZ

• Menu-driven Apps

• Backup Scripts

• Role-based Apps

Browser

RDP Client

SSH (22) SSH (22)

User selects SSH application and

credentials

SSH Application

CredentialCheckout

Session Recording / Logging

HTTPS

Differentiator:

Reporting & Analytics

Actionable Reporting

Advanced Threat Analytics

What makes Password Safe different?

• Adaptive workflow control to evaluate and intelligently route based on

the who, what, where, and when of the request

• Full network scanning capabilities with built-in auto-onboard capabilities

• Integrated data warehouse and analytics capability

• Smart Rules for building permission sets dynamically according to data

pulled back from scans

• Session management / live monitoring at NO ADDITIONAL COST

• Clean, uncluttered, and intuitive HTML5 interface for end users

Market Validation

• Leader: Forrester PIM Wave, Q3 2016

− Top-ranked Current Offering (product) among all 10

vendors reviewed

− “BeyondTrust excels with its privileged session

management capabilities.”

− “BeyondTrust […] provides the machine learning and

predictive behavior analytics capabilities.”

• Leadership

− Gartner: “BeyondTrust is a representative vendor for all

five key PAM solution categories.”

− OVUM: “BeyondTrust […] provides an integrated, one-

stop approach to PAM… one of only a small band of

PAM providers offering end-to-end coverage.”

− SC Magazine: “Recommended product.”

− … and more from IDC, KuppingerCole, TechNavio, 451Research,

Frost & Sullivan and Forrester

DEMO

Poll

Q&AThank you for attending!