password management for different teams and roles
TRANSCRIPT
It Takes All Types: Password
Management for Different
Teams and Roles
Dave Shackleford
Voodoo Security
What’s That Sucking
Sound?Passwords!!
• Passwords are a continuous source of pain for organizations
• Among the major issues, we have:
– Obnoxious password policies that are too strict
– Weak password policies that are easily broken
– Lack of centralization in password policy
– Password exposure and breaches
DBIR Stats: 2014
• Verizon cited almost 2 out of every 3 breaches involving credentials at some point in the attack campaign
• Many attackersfocused almostexclusively onuse and abuseof privilegedcredentials
DBIR Stats: 2015
• In the 2015 DBIR, Verizon noted that every single breached Point-of-Sale (POS) vendor had their credentials breached, allowing attackers to harvest credit card numbers galore.
• In addition, attackers relied less on default credentials being in place, and placed more emphasis on stolen credentials from users.
DBIR Stats: 2016
• Hacking with stolen credentials is WAY up:
DBIR Stats: 2016
• 63% of confirmed breaches involve weak,
default, or stolen credentials
2017? Security Pros Suck, Too.
Credential Misuse is a PATTERN.
• Based on these repeated series of attacks,
we’ve got years of evidence that
credential theft and misuse leads to major
breaches and exposure
• We still have issues with:
– One-factor authentication (passwords)
– Password management
– Privileged users and credentials
Credential Dumps: Ouch.
• So many in
recent years –
Yahoo, LinkedIn,
Ashley Madison,
etc.
• So these are the
“Top 10”?
• What the…?
It Takes All Types
• Passwords aren’t a “one-size-fits-all”
problem
• Many different types of teams and workers
need different password models and
policies
• Security and operations teams will need a
strategy to deal with them all
First: The “Average User”
• So, what’s an “average user”?
– No sensitive data
– No control of critical systems
– Low risk from account compromise
• These users are still important, but they
will represent our “baseline” policy
• There are several different schools of
thought on how to address these users
The “Average User” Policy
• Forget long passwords with these guys
– Seriously. They’ll write it down.
• Be reasonable in crafting a policy for these users:
– 8…(10?) characters
– Complexity…maybe?
– Rotation: Less frequently (controversial)
– 5 tries for lockout
– MFA for Remote Access
“Sensitive” Users
• Users that have sensitive job roles or
access to sensitive data,
• Likely include professionals in the
executive ranks, finance, HR, etc.
• These users need a more stringent policy
than the “average user”
• However, executives are not always
known for “password tolerance”
“Sensitive” User Password
Policies
• It turns out, size DOES matter:
“Sensitive” User Password
Policies
• Require a passphrase, maybe 12-15
characters in length.
– One way to offset this “burden” is to reduce
the password change cycle, maybe only
requiring a change once a year or so
• Reduce account lockout to 3 tries
• Push for MFA (at least for remote access)
• Increase account monitoring!
IT & Security Pros
• Yes, these special snowflakes control the
entire infrastructure
• These users need the most stringent
controls possible
• Once again, ditch complexity
– It’s stupid. Seriously.
• Go with long passphrases
– 15-20 characters is not unreasonable
IT & Security Pros
• In addition, passwords should be rotated every quarter, ideally
– This is being debated today quite a lot
• Implement a OTP system for critical system access
– This is the most effective means of implementing privileged user management
• Require a lower-privilege account for daily use
• MFA should be required for remote access
One last category: Developers
• Developers should ideally be included in “IT Pros”
– OTP should be mandatory for source code access and change
• However, we also have “application access”…
– This should ideally be very long random passwords
– Changed as often as possible
– Use a “secrets management” platform for this, too
Password Security: Detection
• Detecting credential hijack and abuse may
be difficult
• Things to look for:
– Repeated failed logins
– Authentication attempts/activity at abnormal
times
– Unusual patterns of access
– Account or system patterns of connectedness
Password Security: Response
• If credentials have been hijacked or
abused:
– Change passwords immediately
– Notify partners or any connected 3rd parties
– Look for account activity in logs
– Perform forensics and more in-depth analysis
of systems with that user activity
Conclusion
• Passwords can be a nightmare…but they’re not going anywhere soon.
• Developing a more reasonable password management scheme for various users is a smart strategy
• Ideally, you’ll also usesolutions that can bemanaged centrallyand easily
PowerBroker Password
Safe
Martin Cannard –
Product Manager
PAM – A collection of best practices
AD Bridge Privilege
Delegation
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
Credential Injection Proxy
Native desktop tool (MSTSC/PuTTY etc.) connects
to the proxy using the session key
Protected ResourcesUser authenticates to Password Safe and requests
session to protected resource
Internal connection to host is established using
managed credentials and RDP/SSH session is
proxied through the Password Safe applianceHTTPS RDP / SSH
RDP / SSH
Password
SafeProxy
• NO creds/hostname sent to the desktop
• NO jump server required
Unique one-time session key sent down to desktop
All actions are indexed
and searchable, along
with any keystrokes
recorded.
Clicking on an action
will immediately jump
you to that index point
of the recording.
Timestamps may
optionally be
displayed, as well as
toggling between
showing keystrokes
only, or keystrokes
plus actions.
Privileged Session Recording
Differentiator:
Adaptive Workflow Control
• Time
• Day
• Date
• Where
• Who
• What
Differentiator: Adaptive Workflow Control
Mobile
Devices
Security
AppliancesDatabases
Operating
Systems
SaaS &
Cloud
Network
DevicesDirectoriesStorageSCADAMainframe
Differentiator:
Controlling Application Access
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
Differentiator:
Reporting & Analytics
Actionable Reporting
Advanced Threat Analytics
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester
DEMO
Poll
Q&AThank you for attending!