passwords and breaches: a match made in heaven
TRANSCRIPT
Passwords and Breaches:
A Match Made in Heaven
Dave Shackleford
Voodoo Security
Passwords…Aaargh!!
• The news these days is full of discussion and concern
over data breaches, a trend that’s been continuing for
several years
• All types of sensitive data and organizations have been
impacted
• Why does this keep
happening?!
DBIR Stats: 2014
• Verizon cited almost 2 out of every 3 breaches involving
credentials at some point in the attack campaign
• Many attackers
focused almost
exclusively on
use and abuse
of privileged
credentials
DBIR Stats: 2015
• In the 2015 DBIR, Verizon noted that every single breached Point-of-Sale (POS) vendor had their credentials breached, allowing attackers to harvest credit card numbers galore.
• In addition, attackers relied less on default credentials being in place, and placed more emphasis on stolen credentials from users.
DBIR Stats: 2016
• Hacking with stolen credentials is WAY up:
DBIR Stats: 2016
• 63% of confirmed breaches involve weak, default, or
stolen credentials
Breach Example 1: Target
• Target experienced a significant breach of roughly 110
million customers’ data, with at least 40 million payment
cards stolen.
• During the course of the investigation, it was found that
Target was initially breached through a connection
established by one of their vendors, HVAC vendor Fazio
Mechanical Services
Breach Example 2: Home Depot
• Home Depot, another large retailer, also claims that its
credit card breach in 2014 was initially due to stolen
credentials from a third-party vendor.
• In many of the most public cases we have seen, the
attackers have targeted personal data, health care
information and financial data, such as debit and credit
card details.
Breach Example 3: OPM
• Originally cited as 4 million records breached, that number is
now upwards of 25 million+
• Highly sensitive data related to background checks,
government clearance, and personal information was
compromised
• This breach, like many others, seems to have originated with
stolen credentials from a background check provider that
worked with OPM, KeyPoint
Government Solutions
Credential Misuse is a PATTERN.
• Based on these repeated series of attacks, we’ve got
years of evidence that credential theft and misuse leads
to major breaches and exposure
• We still have issues with:
– One-factor authentication (passwords)
– Password management
– Privileged users and credentials
Stupid Pen Test Tricks:
Credential Dumps
• So many in recent
years – Yahoo,
LinkedIn, Ashley
Madison, etc.
• These should be added
to password lists
You go…”ninja”.
Stupid Pen Test Tricks:
Hash Dumps
• Once a system has been exploited, any pen tester will
immediately dump creds
Stupid Pen Test Tricks:
Plaintext Creds…aka DERP
• This doesn’t work as often as it used to, but dumping
plaintext credentials is a great way to win as a pen tester
Stupid Pen Test Tricks:
Social Engineering
• Social engineering, especially phishing can grant you
access to credentials and/or systems (thus, credentials)
Stupid Pen Test Tricks:
Pass-the-Hash
• In many cases, Windows “Pass the Hash” techniques still
work beautifully
– At least for the local Admin account
• Metasploit, the Windows Credential Editor, and other tools
can employ this technique
Stupid Pen Test Tricks:
Password Guessing
• While certainly not subtle, password guessing attacks can
definitely still prove effective
• Tools like Hydra, Medusa,
and others can easily
target SMB, SSH, HTTP,
and many other forms of
authentication
Credential Security: Prevention
• User education on protecting credentials and avoiding
social engineering attacks is key
• Create and implement a password security policy
• Implement multi-factor authentication tools
• Password escrow or randomization requires a “checkout”
for short-term use, and can be helpful for admin and
privileged access and control
Credential Security: Detection
• Detecting credential hijack and abuse may be difficult
• Things to look for:
– Repeated failed logins
– Authentication attempts/activity at abnormal times
– Unusual patterns of access
– Account or system patterns of connectedness
Credential Security: Response
• If credentials have been hijacked or abused:
– Change passwords immediately
– Notify partners or any connected 3rd parties
– Look for account activity in logs
– Perform forensics and more in-depth analysis of systems with
that user activity
Conclusion
• Passwords are a nightmare.
• Of course, we can’t get rid of them easily, but they continue to plague us
• We’re likely to see passwords involved in breach scenarios for some time to come
• The time is NOW to implement better password protection controls!
PowerBroker Password Safe
v5.8
Rod Simmons – Product Manager
PAM – A collection of best practices
AD Bridge Privilege
Delegation
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
Differentiator:
Adaptive Workflow Control
Adaptive Workflow Control
• Day
• Date
• Time
• Who
• What
• Where
Differentiator:
Included Session Management
Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection
through to requested resource
Protected Resources User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance HTTPS RDP / SSH
RDP / SSH
Password
Safe Proxy Proxy
Privileged Session Management
Differentiator:
Controlling Application Access
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
Differentiator:
Reporting & Analytics
Actionable Reporting
Advanced Threat Analytics
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
Less complexity & cost
Password and Session Management together in the same
solution
Rotate SSH keys according to a defined schedule and enforce granular access control and
workflow
Native tools for session management (MSTSC/PuTTY etc),
with no Java required
Faster time to value
Deploy as a hardened physical or virtual appliance with a sealed
operating system, or as software
Clean, uncluttered, and intuitive HTML5 interface for end users
Full network scanning, discovery and profiling with auto-onboarding,
and Smart Rules
Better insights
Integrated data warehouse and threat analytics capability through
BeyondInsight
Live session monitoring, true dual control for locking, terminating or
canceling sessions
Improve workflow by considering the day, date, time and location
when a user accesses resources
Key differentiators and business value
Reduce risk | Achieve compliance | Improve efficiency
PowerBroker Privileged Account Management:
Validated by the industry
BeyondTrust is a “representative vendor” for all five key feature solution categories.1
“Deploying the BeyondTrust PAM platform … provides an integrated, one-stop approach to PAM… one
of only a small band of PAM providers offering end-to-end coverage.”2
“BeyondTrust is a pure-player in the Global Privileged Identity Management market and holds a
significant position in the market.”3
"Frost & Sullivan endorses PowerBroker Password Safe.“4
"Leverage a solution like BeyondTrust’s PowerBroker for Windows to transparently remove
administrator privileges.“5
BeyondTrust is a “Major Player” in Privileged Access Management.6
“BeyondTrust is a vendor you can rely on… BeyondTrust PowerBroker Auditor suite is an
impressive set of flexible and tightly integrated auditing tools for Windows environments.”7
1Gartner, Market Guide for Privileged Account Management, June 17, 2014. 2Ovum, SWOT Assessment: BeyondTrust–The BeyondInsight and PowerBroker Platform, November 5, 2014. 3TechNavio, Global Privileged Identity Management Market 2015-2019, 2014. 4Frost & Sullivan, PowerBroker Password Safe – a Frost & Sullivan Product Review, 2014. 5Forrester, Introducing Forrester’s Targeted Hierarchy of Needs, May 15, 2014. 6IDC, IDC MarketScape: Worldwide Privileged Access Management 2014 Vendor Assessment, March 2015. 7Kuppinger Cole, Executive View: BeyondTrust PowerBroker Auditor Suite, March 2015.
Demonstration
Poll
Q&A
Thank you for attending.