Find the missing piece to your Privileged Account Management

Enterprises are witnessing a significant change in their IT infrastructure. The contributing factors to these changes are qualitative – be it the constantly changing industry behavior and organizational economies vis-a-vis large infrastructure migration activities, IT procurement changes, mergers & acquisitions, migration to hybrid & cloud platforms, changing user and user access landscape. With these changes, the current scenario is such that users can access your infrastructure from any location. All users can be treated as remote users with millions of passwords and access to be managed and thousands of sessions & activities to be monitored independently on a daily basis leaving you with an increased attack surface.   Security concerns around Privileged Account Management because of the evolving dynamics Naturally then the question arises as to how the rising privileged access needs will be catered to. The popular solution vendors have worked on innovative password vaults back in the day. Having said that, it is important to consider whether the architecture and approach of those solutions can cope with the dynamically changing nature of infrastructure needs (read: cloud + on-premise hybrid infrastructure). Are more resources in terms of manpower, effort and costs required? CIO’s are analyzing and evaluating tools with a primary objective in mind – Does my privileged account management (PAM) tool have the agility and scalability to manage and secure the increasing diversity of the infrastructure while still reducing costs and increasing productivity? The answer to this missing piece has led to the increasing transition of enterprises to consider a technology refresh and move to ‘as-a-service’ approach for their privileged account management tools.   Management concerns with the current Privileged Account Management measures It is often observed that traditional Privileged Account Management (PAM) tools are able to provide core privileged access security features such as Password Management and Session Monitoring but now the focus has shifted to ‘do more with your PAM’. Just the core features do not seem to be cutting it because there is a lot of manual effort involved in managing the solution in its entirety. There are two problems associated with this – first the cost involved to deploy resources to manually manage the solution (for instance, to manually provision and de-provision devices and accounts) and second the productivity comes down with the mundane approach followed in managing the solution. Automation has therefore become the talk of the town and has become a critical requirement of a Privileged Account Management solution. It allows for as much as up to 50% reduction in costs. However, for existing PAM solutions to incorporate automation would mean disintegrating and then reintegrating the basic foundation of its architecture that could take significant amount of time before it comes to fruition. This leads to the management point of discussion – is maintaining my existing Privileged Account Management solution a costlier affair than replacing it? Not surprising, the answer to this will give you an insight into the need for a massive Privileged Account Management (PAM) refresh among enterprises. All this is believed to have led enterprises to prioritize privileged access security and consider a reduction in their PAM refresh tenure from the conventional 5 or 7 years down to 3 years. Are you ready for a PAM refresh?   What do you need to tackle these PAM security concerns? Need of the hour is to have a privileged account management (PAM) solution that addresses the aforementioned pain areas by focusing on privileged user ACCESS to prevent misuse of privileges and manage access problems. At the same time, the PAM solution should be able to adapt to the evolving infrastructure needs without having the requirement for additional resources (in terms of manpower and hardware). Privileged Account Management (PAM) solution that is built on a cross-platform and integrated fashion making it cloud ready, agile and easily scalable is needed to achieve the levels of security and automation that the current scenario demands. With the rising user landscape both from within and outside the network, the risk has shifted from managing passwords to managing access.   How Sectona can help? Sectona’s Spectra Privileged Account Management/Privileged Access Management is designed with a unique approach that steps away from conventional challenges and addresses the current and future needs of privileged password & access management. Furthermore, its collaboration based privileged access technology solves the issue of growing remote users. Most importantly, its use of automation for discovery, provisioning and privileged tasks, to name a few can help reduce costs and save time, effort and manpower dependence. Spectra PAM essentially has been conceived and developed to address the growing needs of privileged access & modernized IT infrastructure for future ready enterprises. The focus at Sectona is to educate enterprises on how to prioritize their privileged access from start (read: How to start your Privileged Account Security Program) to end.     Learn more of how Spectra Privileged Account Management (PAM) is tailor made to address the current and future needs of privileged access management challenges with focus on automation along with time & cost reduction.
Avatar March 15, 2018

How to start your Privileged Account Security Program

What are Privileged Accounts? Privileged Accounts, as the name suggests are only for privileged users, super-users and administrators who are entrusted with the responsibility of managing infrastructure or cloud critical systems. These super users are equipped with certain privileged access rights that are not equally enjoyed by other end users. Every system – be it OS, Databases, Network Devices or Applications - there are privileged accounts that are assigned on each of them to perform critical activities. Quite naturally, this means that there can be an abuse of the privileges, intentionally or accidentally, if not appropriately monitored and controlled. (Read how to plan against privilege abuse) Interestingly, there are different types of privileged accounts that can be assigned to a system. The simplest of privileged account that most know of and can relate to is the default ‘administrator’ account you have seen on your system. This account has been granted rights to have complete control of the system and do anything in the purview of the operations of the system.   Types of Privileged Accounts Local Account: These accounts have the access for a single system that the user is using i.e. it is local to the user. The user id and password are stored locally on the hard drive of the system being used. Default administrator accounts are local accounts. The local account provides us with the account usability as what programs can be installed or removed, what type of files can be accessed which services can be run or blocked on  the system etc. Domain Account: These accounts keep IT users’ id and password on the domain controller rather than the system in which it is logged in. As soon as the domain user logs in the system, the privileges of that user are being asked by the domain controller accordingly then the access is granted to that particular user. These types of accounts are used wherein workload is divided among many, so a centralized access for them has been provided by the domain within few computers. Service Account: This account is for the users to provide them with the security on the services which are running on their systems. The services can be configured using the task manager or windows PowerShell. There are basically three types of service accounts in an operating system: a) Standalone Managed Service Accounts b) Group Managed Service Accounts c) Virtual Accounts Application Account: These accounts vary from business related forms to database logins. They basically deal with all types of critical roles over the network, depending on peer to peer applications. These types of accounts have been designed to track one’s application by logging in to that particular account application. Default Accounts Our focus though will be the default administrator accounts & built in accounts. These accounts come into picture during the time of installation of devices and services. When the systems are installed for the first time, the operating system or database or the service installs with default user accounts. These account settings are known as default administrative rights because they have been pre-defined by the software developers of the system. There are various types of default accounts available in various operating systems such as administrator for windows, root for Linux, db2admin for IBMDb2, administrator for Microsoft Server 2012 etc. The security risks, however, come into play when there is a misuse of the access privileges granted to these accounts. This administrator can also create other accounts with equal administrator rights and sometimes this leads to creation of new privileged accounts that security teams may or may not know about. So the unaware security team will do the necessary checks to ensure that the access and credentials of the known default administrator accounts are protected. However, the abuse of these privileged accounts created will lie unnoticed that can expose a scathing attack surface. With security risks around privileged account management taking the driver’s seat, this has become the topic of discussion even among Board of Directors. Given the nature of cyber-attacks that have been happening in the recent past where privileged account misuse have been identified as the top attack vector, regulations have tightened with focus around these privileged accounts. These regulatory frameworks are constantly evolving and that poses ‘challenges’ to CIOs and CISOs making it imperative for them to adhere to those regulations to avoid business and reputational losses. A quick recap and gist of the compliance policies are highlighted below.   Regulatory Challenges for Privileged Accounts NAME CLAUSE DESCRIPTION Payment Card Industry Data Security Standard(PCI DSS v3) Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters Health Insurance Portability and Accountability Act (HIPAA-April-2014) 164.308(a)(5) Password Management ISO-IEC-27001-2013 A.9.2.2 User Access Provisioning A.9.2.3 Management of privileged access rights A.9.2.4 Management of secret authentication information of users If you notice, the regulatory frameworks consistently talk about protecting privileged user credentials and securing their access mechanisms. Essentially for this, you need a deeply integrated and cross-platform Privileged Access Management approach.   Where can Sectona help? While everyone is aware of the above regulations, no one completely knows or is aware of how to start their privileged security program. And the first step is to identify all the default accounts that are present in their on-premise or cloud infrastructure stack. So, as security consultants, we have stepped in and taken the ownership to ease out your work and educate you with a starting point to your Privileged Security Program by providing you with a comprehensive list of default accounts that can be found across infrastructure assets. You may download the template below. Also, we provide a collaborative, integrated and cross-platform approach based Privileged Access Management Spectra.   Download the list   Start now, exploit this knowledge, prioritize your privileged access security and stay compliant. Do keep a lookout for additional resources across network devices and SaaS applications in the coming weeks.
Diksha Vij February 11, 2018

CISO’s – are your administrators trustworthy?

Who is an administrator? Every computer has an administrator by default – this administrator is the one who enjoys privileges as (s)he is the only person with the authority to perform certain tasks. Tasks such as installing a software, configuring the operating systems, establishing security policies, maintaining and managing user account passwords and all other management tasks associated with keeping a computer up and running can only be exercised by an administrator. This essentially makes the administrator a person with unequivocal power.  Just like we have heard in Spiderman - ‘With great power comes great responsibility’, even in a real-world professional setting, this adage is no alien. Administrators have unparalleled power and that means there is a great level of responsibility associated with them. However, imagine the plight if an administrator misuses his/her privileges to install a bogus software or modify the security policies or change permissions on the system.   Role of CISO in the administrator context Now, the role of a CISO entails managing the risks to the confidentiality, integrity and availability of the organization’s intellectual property and information technology assets.  Given the nature of an administrator’s function and the nature of cyber-attacks lurking around, the most important question for CISO’s now is if the administrators protecting these critical IT assets are trustworthy? The reason being that most of the attacks today are a cause of compromised administrator accounts. The most recent hack to have occurred is that of Equifax where personal identifiable information of over 145 million Americans was stolen as per reports. The main culprits for the hacks, however, have been identified as malicious insiders, accidental insiders and compromised accounts – as per reports. Linking this to the absolute authority and privileges that administrators enjoy, it is evident that hackers see the administrator accounts as the most effective way of hitting where it hurts.   Ways to eliminate administrator perceived security risks Needless to say you must stay two steps ahead of cyber-attackers. Have you done a thorough background check of your administrators? Most of you might already have. So what else can be done to mitigate such a situation in the future? This is where information security solutions like Privileged Access Management (PAM) play an important role. These solutions are designed to ensure that a cyber security solution sits above in control of the administrators and not the other way around. Administrator access is completely managed and monitored through Privileged Access Management solutions and more so, administrator rights can be granted on a ‘need-to-know, need-to-do basis’. If you already have a PAM solution, you are on the right path – ensure that the solution is being audited and tested for vulnerabilities. It is a best practice to do so and to perform a thorough testing of the solution once every quarter. If you haven’t installed a PAM solution, right now is the time for you to consider prioritizing your privileged access security goals. Regulations have become stringent around this as well and it is better to act now than be sorry tomorrow.   Sectona provides the solution that can help you secure administrator access Take a look at what a PAM solution is and what it is capable of doing here. Read our whitepaper on Simpler, Faster & Complete Password Management to know more about effective ways of protecting passwords and ensuring secure access mechanisms.
Avatar February 4, 2018

How to plan against privilege misuse and ensure asset security?

The most epic of historical battles have been won when the victor was able to anticipate his adversary’s strategy and stay two steps ahead. It is the same when it comes to privilege misuse. You should be not just two but four steps ahead and anticipate the vectors that hackers can employ to attack your system. And I say this because you must assume that the cyber-attacker is already two steps ahead of you. So you have to be four steps ahead by anticipating potential privilege abuse attacks and taking measures to protect against them. Think like a hacker to stop a hacker. Well, easier said than done – how can you do this? Let’s break it down. A solution to a problem is just the end objective – but it is the approach to finding that solution which sets you apart and lets you be well prepared for privilege misuse. First step is for you to identify and understand the problem on hand. While this sounds easy, more often than not, in the information security world, a problem remains unidentified for weeks. Once you know the problem on hand, next step is to dig deeper and get to the root of the problem. Why did the problem occur, what could have caused it. Albeit time consuming, it is a crucial step for effective troubleshooting. Now things become easy – you know the problem, you know the root of the problem so finding the right solution becomes a comparatively easier task. Applying that to information security – you should first understand your infrastructure and identify all the loopholes that can be exploited. Anticipate and predict how a privilege misuse can happen in your system. Understand as to what are the different modes and means through which cyber-attackers could breach through these vulnerabilities. Now think of the assets you need to protect and the ways to protect them. Remember, this is a careful process where you must understand the business and financial impact of devising mitigation strategies. Lastly, the most important step would be to align the Board with your plans and execute protection strategies at the earliest without further delay. Logic Analogy with your organization To put this in better perspective, let’s look at a specific risk example. You have understood your company mission, its business, its technology and its infrastructure and have defined its crucial information assets such as servers, databases, network devices and others. Now, you understand the vulnerabilities and loopholes associated with this infrastructure. For instance, for these assets, you have privileged users and administrators who act as super users and have significant privilege rights. Can they pose as a threat? Absolutely. If you know they are the most important personnel, don’t you think cyber-attackers (hackers) would be aware of the same? There are two possible scenarios now. One is that the privileged users might have an intent of abusing these privileges or alternatively, they are prone to genuine human error which an attacker could take advantage of and lead to a privilege misuse. Isn’t it obvious that the hackers will attempt to gain control of these privileged accounts to hack into your assets? As you see the hackers are already two steps ahead. This step essentially is the characterization of risk. So with that done, how do you analyze how the hackers are two steps ahead and be prepared to protect these assets? Protecting against privilege misuse First, make sure you conduct background checks to ensure these administrators and privileged personnel are trustworthy. This way you can partly ensure that a direct inside attack won’t take place. Secondly, identify and implement security solutions such as Privileged Access Management (PAM) in place that help you secure not just on the credentials of privileged accounts but also the access rights and privileges of these accounts. This is to ensure that neither do the external hackers do not get access to your administrator account credentials and privileges nor do the internal privileged users abuse their privilege rights. Thirdly, monitor the solution for its effectiveness and vulnerabilities, if any. Assess the agility and scalability of the solution to align with the changing dynamics of your infrastructure. Next step is to constantly stay updated on the new attack modes and ways, new trends in information security i.e. be aware and educate yourself persistently. If need be, do not hesitate to undergo a technology refresh and update your privileged access security with the latest technology. Lastly, repeat the above steps in a regular fashion – it is an ongoing process. Rest assured, you are two steps ahead in the game and are better equipped to protect your organization from privilege misuse. By following the above, are attackers going to shy away? – No, they are not. But you are better prepared and ahead of the curve with the right approach and process set in place to protect your assets from privilege misuse. How can Sectona help you protect against privilege misuse? We have a unique Privileged Access Management (PAM) solution that is capable of employing the detect and prevent strategy when it comes to privilege abuse with its unique technology and approach. Download and read our Spectra PAM Datasheet to know more about our approaches and value proposition.
Avatar January 17, 2018

What should be your Privileged Access Security Goals for 2018? Prioritization!!

I have been reading Ruchir Sharma’s The Rise and Fall of Nations recently where I came across two interestingly coined terms – ‘anchoring bias’ and ‘confirmation bias’. Anchoring bias is the tendency to believe good times will last forever. Confirmation bias is the tendency of collecting only the data that confirms one’s existing beliefs. The idea that the book tries to convey is from a global economy perspective where you should identify signs and be attentive to sniff the hidden and not-so-obvious signals. Why am I saying all this and what is the relevance to privileged access security you may think. Let me explain.   Anchoring Bias in the Privileged Access Security Context Often, it so happens that in an enterprise setting, as soon as one implements a security solution, there is a tendency to believe that ‘we have implemented a solid security solution, we are compliant with our regulatory requirements, blocked ways for cyberattacks to take place and good times await us going forward’ – this ever so slightly tends to the anchoring bias concept. An extension to this would be thinking ‘we have covered all possible areas of cyberattacks with robust solutions so our attack surface has been reduced’. However, the reality is so long as an enterprise has critical assets, there will be attackers scheming their attack vectors. Cybersecurity, in general, is never about happily ever after, it is a continuous process. It is a well-known fact that cyber invaders are always on the lookout for new vulnerabilities to exploit and it is up to the security team to ensure that they don’t give in to the anchoring bias but instead strive to keep finding vulnerabilities and ways to protect those loopholes. In a similar fashion, you have evaluated and implemented a privileged access security product for your infrastructure and critical assets. But does that end there? Are you monitoring and aware as to how the product has been implemented in line with your user requirements or future architectural requirements? Are you on top of all the capabilities of the product and which capability is of paramount priority for your user access? Are you assessing the adoption and usage of the product among all privileged users? Answers to these questions will guide you to an important decision for 2018 – the Re-evaluation of existing products.   Confirmation Bias in the Privileged Access Security Context Let’s evaluate confirmation bias now in this context. How to ensure you are finding the right vulnerabilities and not missing out on any critical weak points? Are you likely to be the victim of confirmation bias? You are a security expert. You have analyzed historical patterns, identified and zeroed in on the different types of attacks and why those attacks happen and have even to an extent predicted the kind of attacks that are plausible. Yet, there is a 0.1% chance that you may have given in to confirmation bias by only collecting data enough to analyze historical patterns and your predictions and beliefs of why past attacks happened and why some are predicted to happen. Based on this, you have identified key privileged accounts and have done the needful to protect their access. But have you rightly identified all the critical devices in your infrastructure (both on premise and cloud) stack? Have you accurately mapped all the different types of privileged accounts associated with these devices? You have considered all your internal privileged users. But what about external users such as third party vendors & remote users. It is the age of remote users, they are everywhere. Even internal users today can be considered remote users, courtesy trends such as BYOD & offshore outsourcing. It has therefore become imperative today to focus on securing remote privileged access. More often than not, for collaborative activities to be facilitated for remote users, additional privileged accounts are created – sometimes known, in most cases unknown and unaccounted for exposing security gaps for cyber attackers to leverage. This leaves you thinking that your privileged user security goal for 2018 should be a renewed collaboration based privileged access security.   Prioritize Privileged Access Security To play my part of creating more awareness, it is recommended that you prioritize securing Remote aspects of every privileged User– a gateway that can bestow supreme levels of authority and power to cyber attackers causing enterprises significant business and reputational losses. The goal is to understand the in and out of your infrastructure including critical devices and critical users and analyze all possible vulnerabilities and weak points. Dare to think of the worst and as the popular belief goes ‘hope for the best, prepare for the worst’.   How we can help? At Sectona, we have engineered an advanced Privileged Access Management (PAM) and have developed a unique cross-platform and collaborative PAM suite for enterprises and service providers of any size and scale. We are equipped to help you stay ahead of the curve from the PAM perspective with our renewed PAM approach. Check out our Spectra Privileged Access Management and SpectraMSP to learn more about our products.
Avatar January 2, 2018
1 2