Reduciendo riesgos a través de controles de acceso, manejo de privilegios y auditoria

1

1

Reduciendo riesgos a través de controles de acceso, manejo de privilegios y auditoria

© 2013 BeyondTrust Software

Bruno Caseiro, CISSP, GWAPT, CEH, MCSESecurity Sales Engineer

2

2

Agenda

About Beyondtrust

Security concepts that are rarely implemented (properly)

High Profile Breaches in 2013 and 2014

What we can do to reduce the attack surface?

3

3

BeyondInsight IT Risk Management Platform: Capabilities

Privilege & Access ManagementInternal Risk Management

• Privileged Password Management• Shared Account Password Management• Privileged Session Management• Privileged Threat Analytics• User Activity and Entitlement Auditing• AD Bridge for UNIX/Linux and Mac• Automated AD Recovery & Protection

Privilege & Access ManagementInternal Risk Management

• Privileged Password Management• Shared Account Password Management• Privileged Session Management• Privileged Threat Analytics• User Activity and Entitlement Auditing• AD Bridge for UNIX/Linux and Mac• Automated AD Recovery & Protection

Vulnerability Management External Risk Management

• Vulnerability Management• Regulatory Compliance Reporting• Configuration Compliance Assessment• Integrated Patch Management• Endpoint Protection Agents

Vulnerability Management External Risk Management

• Vulnerability Management• Regulatory Compliance Reporting• Configuration Compliance Assessment• Integrated Patch Management• Endpoint Protection Agents

Reporting& Analytics

Central DataWarehouse

AssetDiscovery

AssetProfiling

Asset SmartGroups

UserManagement

Workflow &Notification

Third-PartyIntegration

IT Security:Optimize Controls

IT Risk:Calculate Risk

Management:Prioritize Investments

Compliance & Audit:Produce Reports

IT Operations:Prioritize Mitigation

4

4

Security concepts rarely implemented (properly)

© 2013 BeyondTrust Software

5

5

Security concepts that are rarely implemented

Least PrivilegeLeast privilege requires that a user be given no more access privilege than necessary to perform a job, task, or function.

Need to knowShould be used heavily in situations where operational secrecy is a key concern in order to reduce the risk that someone will leak that information to the enemy. It's a companion concept to least privilege and it defines that minimum as a need for that access based on job or business requirements.

6

6

High Profile Breaches in 2013

© 2013 BeyondTrust Software

7

7

EDWARD SNOWDEN AND THE NATIONAL SECURITY AGENCY

Edward Snowden, a contractor working as a systems administrator for the NSA, convinced several of his co-workers to provide him with their system credentials, according to a report by Reuters. Snowden may have convinced up to 25 employees at the NSA to give him their usernames and passwords under the pretext that he needed them to do his job.

High Profile Breaches in 2013 - NSA

8

8

In a statement to CSO, a Vodafone spokes person said that a "sophisticated and illegal intrusion into one of its servers in Germany," and that the attack appears to have been executed by someone inside the company. An individual has been identified by the police, and their assets have been seized, but there was no further information available by deadline. Speculation by local media in Germany has pointed to a sub-contractor who worked with the telecom giant's administration system as the key suspect.

High Profile Breaches in 2013 - Vodafone

9

9

High Profile Breaches in 2013 2014 - JPMorgan

10

10

High Profile Breaches in 2013 2014 - ShellShock

11

11

What we can do to reduce the attack surface?

© 2013 BeyondTrust Software

12

12

How someone can get access to your systems?

They have a valid credential (username and password);Also this valid credential must have the appropriate privileges;

They can exploit an existing vulnerability in your system and in this case they don’t need credentials;

13

13

What we can do to reduce the attack surface?

Enforce Least Privilege across your organization;

Control who can access each privileged account and system in your environment;

Audit what users are doing when they are granted privileged access.

Audit who is accessing your data, look for anomalies, create alerts, and fix excessive permissions;

Changes to critical objects in AD (i.e. Domain Admins group); Sensitive files and folders in your systems; Executive or strategic mailboxes in your MS-Exchange; Sensitive records, tables or databases in MS-SQL, Oracle, and DB2.

Identify if you can get compromised by external attacks

Audit your vulnerabilities, prioritize, and fix them.

14

14

How to enforce Least Privilege?

Solution: PowerBroker for Windows

© 2013 BeyondTrust Software

16

16

Who have local administrators rights today?

17

17

Which applications requested elevation?

18

18

Assign admin rights only to approved / business applications

19

19

Session Monitoring – Audit what users are doing after launching applications with admin rights?

20

20

How to control access to privileged accounts?

Solution: PowerBroker Password Safe

© 2013 BeyondTrust Software

22

22

PowerBroker Password Safe

Manager(Web Interface)

Approval Request

Approval Administrati

on,

Auditing, etc.

Password Request

Password(Retrieved via SSH, HTTPS)

Password Request

Password(Retrieved via API, PBPSRUN)

Login w/ Password

Login w/Password

PowerBroker SafeAdministrator

or Auditor(Web or CLI Interface)

User(Web Interface)

Applicationor Script

Routers /Switches

Firewalls WindowsServers

Unix/LinuxServers

SSH/TelnetDevices

IBM iSeriesServers

IBM ZSeriesServers

AD/LDAPDirectories

Databases

22

11

33

44

BB

CC

23

23

Session Management

25

25

Account password age – identify issues!

26

26

Service Account Usage

27

27

Audit your environment

Microsoft File Servers, Active Directory, Exchange, Event Viewer;Databases: Oracle, MSSQL, and DB2

© 2013 BeyondTrust Software

28

28

Monitor any change that occurs in A.D.User, Group, OU, Printer (deleted, changed, created, etc)

Who? When? Where? What?

29

29

Protect critical objects in A.D.Specify that in the “domain admins” group, only the user “cassio” can

make changes. Even other domain admins will not be able to change that.

30

30

Audit for File ServersWho accessed the file salary.xls in the last 30/60/90 days?

Who is really accessing/changing your critical data?Email me if someone delete or change the file secrets.doc

31

31

Audit of EventsWhat are the errors or security events that are happening in my servers?

You are seeing user accounts being lock out. Where it’s happening?Would you like to get alerts when some type of events are generated?

32

32

Audit for Microsoft ExchangeAn email message has “disappeared”. When it happened, who deleted?

Who is reading your CEO e-mail messages? Only him? Really?Would you like to receive an alert when if it occurs?

33

33

Audit for MSSQL, Oracle, and DB2What changes occurred in the last 24 hours?

Is there someone looking at sensitive tables like salary, credit cards, etc?Would you like to receive an alert if a suspicious activity occurs?

34

34

Audit your vulnerabilities, prioritize, and patch them!Solution: Retina CS – Vulnerability Mgmt

© 2013 BeyondTrust Software

35

BeyondInsight Retina CSAudit Vulnerabilities across all your IT environment

36

36

Where is your risk is higher?

37

37

Patch Management

- Patches for Microsoft (Windows, MSSQL, Office, etc);- Java;- Adobe;- Winrar;- Firefox, Chrome, etc

38

38

Risk Matrix Reduction

39

39

Challenge - You will be surprised!

How many administrators you have in your environment

How many service accounts you have in your environment

Who is accessing your top 5 sensitive folders?

If you create and add a “hacker” account to the Domain Admins group, when people will realize that?

Last time that the password for these devices where changed: Domain administrator on Windows; Administrator account in your MS-Windows workstations; Root in your Linux and Unix systems; Admin password for your networking devices (switches, firewall, etc); SA password for your MS-SQL or Sysadmin for your Oracle

How many vulnerabilities can be exploited remotely? I mean, easily exploited remotely by tools already available on Internet

40

40

Thank You!Bruno [email protected] # 18

© 2013 BeyondTrust Software