« Phishing Targets High Level Executives | Main | IBM One Step Closer to Offering End-to-End Security »

Listen to or download the entire10:40 podcast below:

Download file

What follows is a summary of my discussion with Adam Bosnian, Vice President of Products, Strategy and Sales at Cyber-Ark Software, where we cover the many problems of insider attacks: why they have become such a problem, why privileged passwords are often used in insider attacks, what Cyber-Ark can do about it, where most companies fail in password compliance, and finally, what’s in store for the future of password security.

Why have insider attacks become such a serious issue for businesses?

I think there's really two answers to that: no. 1 -- organizations have done a very good job in the last five or six years in terms of securing the perimeter of their network and making sure they're keeping the bad guys out. What they're not as aware of today is what's going on inside the network and what the insiders are doing, what they are having access to and what they are doing with their data. We have actually had some conversations with bank examiners from the office of the comptroller of the currency where they communicate exactly the same point, where they feel that banks have done a good job of securing the perimeter but they really don't have a good idea of who's doing what within their organization. That's No. 1.

No. 2 is -- traditionally, people have been "trusting" their internal resources and making sure the bad guys from the outside don't do anything untoward. But the truth is, we have a lot of data out there that says that the data breeches that are occurring and some of the security incidents that have been occurring have been caused from inside the organization rather than outside the organization. We have some data that says 80% of security incidents have been caused by people on the inside and of those, 50% of them could have been dealt with if they had a better deprovisioning and better security model within their organization.

Why are privileged passwords so often used in insider attacks?

Well, number one, they’re very powerful accounts. When we talk about a privileged account or privileged password, we're talking about that system administrator account on a Wintel box or a root user on a Unix box or a Cisco enabler on a Cisco environment, etc. And these accounts have, since they are the administration accounts, have full access to be able to control that target system configuration, who can access it, etc. And they also have full access to all of the data that's on that system. So first, they have full control and a lot of access to that target system. No. 2, though, those privileged accounts are also generic. It's that "invisible man" concept that says, "well, it looks like in the log system that the administrator logged in and they did x, y, z but I don't know who the system administrator is because it isn't attributed to Adam Bosnian or to Peter, it just shows up in the log as system administrator.

So, no. 1, the accounts are very powerful. Full access to the machine. Full access to the data. And no. 2, they're generic, meaning there are no footprints. And so people can get away with whatever they want to without it being attributed to their specific end user.

How does Cyber-Ark protect the company against insider attacks?

Well, first of all, we want to make sure that we secure access to these privileged accounts. So we use what we call our enterprise password vault and the core technology being a digital vault to really wrap a lot of security around these privileged passwords, no. 1. So that we know the bad guys can't get them and only the good guys with the right access rights can have access to them. That's no. 1.

No. 2, we personalize access to those accounts. So that when you need to get a password out of the Enterprise password vault, the first thing you need to do is you need to authenticate to the Enterprise password vault with whatever authentication mechanisms your organization uses. So that you are identifying yourself. Okay, "I'm Adam Bosnian, I need access to the root user password for that UNIX system." So now I know that having gone through that process, whatever I do on that target UNIX system is going to be attributed to me as Adam Bosnian not to the generic root user which would give me that invisible man background behind it.

No. 3, we also go change the passwords to those target accounts on a company defined basis for frequency, for length, strength and uniqueness across multiple systems, so that at any one time, no one within your organization will know what the then-current password is for one of those target systems without going through the enterprise password vault first.

So we secure those accounts, we personalize those accounts, we manage those accounts and the passwords in terms of length, strength, frequency and uniqueness, and then we provide a nice detailed audit trail behind it, so if anybody wants to see what activity happened around those accounts, they can look at in those audit trails and attribute it down to the actual end user who did what, when they did it, etc.

Let's say a disgruntled employee builds a secret back door into a company's computer system. How would Cyber Ark stop that person before he could do damage later on?

What we found was a lot of times when those back doors are created, they are created again to be invisible. And so they don't create them as the Adam Bosnian identity is going to access, I'm going to create an Adam Bosnian account on that target system and then use that to log in after I'm fired. Because the truth is, my active directory, once I'm deprovisioned out of active directory because I've left the organization, that account will no longer be viable, correct?

So a lot of those back doors are created as the system administrator or privileged accounts in a shared generic manner so that there are no footprints. What will happen in that case is that we have an auto-discovery capability that allows our product to go and traverse the windows infrastructure within that organization to identify any privileged accounts on those target systems.

So let's say on day 1, when the employee is working there, we know that there are a hundred privileged accounts within that environment. If that employee goes and creates an additional account, if you run that auto-discovery process a second time, we'll find that additional account. We can then have that brought into the enterprise password vault. We go ahead and change the password that is required to access that account, and then once that the person is deprovisioned from the vault and leaves the organization, he no longer is going to gain access to the password through the back door that he just created.

Where do most companies fail when it comes to compliance?

You know, I'm sure there is a range of areas where companies are having challenges within the compliance and regulatory arena. We only really see it from that privileged world. And there are really four areas that we see highlighted in a variety of audits, whether it's a PCI audit, Sarbanes-Oxley audit, OCC bank examination, etc. No. 1 is are you securing these passwords so only the good guys can get them and the bad guys can't? Are you doing something more than yellow sticky-notes, Excel spreadsheets, data center white boards, etc.

So securing privileged accounts and securing privileged passwords is the no. 1 area where we're seeing organizations being highlighted on and being dinged on. Secondly, though, and I think the most common and maybe the most important area that is being highlighted in audits, is you need to attribute who did what to the actual end user, Adam Bosnian or Peter, etc. And a lot of organizations don't have that attribution in their environment without something like the enterprise password vault and so the auditor says, "Show me who accessed that box. OK, system administrator accessed that box. Who was system administrator access that box at 1:05?" Well, the organization can't say because they have 50 system administrators, it could have been any one of those 50.

Third area is passwords and accounts not being managed according to company policy. The company policy makes end users change their password every 30 days, 60 days, 90 days, whatever it might be. When was the last time you changed the system administrator account on that Wintel machine? Very often, they haven't changed it at all or it's once every six months, something along those lines. We have situations where embedded application identities in a lot of cases, have never been changed. We have 42 percent of people responding to a survey saying they've never changed an embedded application identity password in the history of that application being up and running.

And then, fourthly, is do you have any of those embedded application identities and their passwords available in the script or in a config file in a hard-coded clear-text manner? What I mean by that is I have an application that needs to access a data base. There's some kind of script or config file in the middle that allows that application to actually log into the data base.

That password for the application doing that work, very often, in most cases, is hard-coded and in most cases, in clear text. So that anybody with a grep tool or being able to search within that environment could very easily find one of those password and identity pairs and then start to access the data base and from the data base perspective it just looks like the application logged in. That is something that's being highlighted by the audit community over the last six months as an egregious area that needs to be addressed because at that stage, you really have no footprints of who is doing what within your critical data pages.

What do you see for the future of corporate password security?

We're seeing it happen right now. And what I mean by that is if organizations are no longer looking at their identity management from just "I need to deal with the end user identities." I think they're starting to look at it more from a holistic perspective in saying, "I have end user identities. I have privileged identities. I have application identities. I need to put together a strategy for my organization to address the range of identities within my organization." And do it from a holistic perspective from how I provision, how I report, how I have the audit trail, etc.

And you're seeing that happening not only within the company or customer perspective but you're also seeing it in the vendor community. We announced some relationships with Oracle and IBM and Corian over the last several months. Traditional identify management players that to this point have been focusing mostly on the end user identity. Now they want to be players looking at that holistic set of identities and are working with Cyber Ark to bring our functionality on the privilege and application identity side to bear in addition to their end user capabilities.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1955

Posted by: HYDER at June 23, 2007 05:13 AM