According to the 2016 Verizon Data Breach Investigations report, 63% of confirmed data breaches involved weak, default or stolen passwords. In addition to insiders using valid credentials, many of these attacks include hackers that are gaining internal access by compromising desktops, gaining a foothold, and then leveraging captured or stolen credentials to move laterally within the corporate perimeter. In response, organizations must continue make lateral movement of these attackers more difficult. Best practice recommendations include: implementing multi-factor authentication, complex password policies, enforcing unique passwords across systems, and frequently changing passwords. However, one privilege vulnerability that can be challenging to address and that is often overlooked is hard-coded passwords found within code, scripts and supporting files.

It may be for simplicity, limited security education, or lack of an alternative solution, but hard coded passwords continue to be prevalent in both legacy and newly minted software in organizations around the globe. Take for example a simple connection string command :

MyApp.getConnection(url/database, UserName, Password)

While this code will create the necessary connections used by the application, all developers who have access to the code base will also have access to the password. However, not only does this expose the password to the internal development team, but it creates significant ongoing operational and security challenges:

y Once the software is deployed in production, the password cannot be changed without patching the software, which can become costly and impact availability.

y All internal users (employees, contractors, vendors) with appropriate access to this information can use this information to access unauthorized data.

y Any hackers that have access, even to compiled solutions, can use various tools to disassemble the code, which will contain the values of the passwords used.

y Code that contains passwords may become publicly available through libraries, externally accessible URLs, emails, posts, etc.

y Source code is mobile. Overtime source code may be copied, moved, and stored in various locations within an organization.

y Passwords require exceptions to best practices that includes regularly changing passwords to support security and compliance objectives.

Secure Application to Application Password Management Privileged Password Management and Privileged Session Management

Key Differentiators

NETWORK-BASED ASSET DISCOVERY

Scan, identify, and profile all users and services; automatically onboard systems and accounts under management, speeding time to value.

DYNAMIC RULES & ASSET GROUPINGS

Build Smart Rules to trigger alerts or auto provision based on system categorization, speeding time to resolution.

SIMPLIFIED SSH KEY MANAGEMENT

Schedule SSH key rotation and enforce granular access control and workflow.

UNIFIED PASSWORD AND SESSION MANAGEMENT

Use a single solution for both password management and session management, lowering cost and complexity.

AGENTLESS SESSION MANAGEMENT

Utilize native tools including Microsoft® Remote Desktop and PuTTY to connect to systems without the need for Java.

APPLICATION PASSWORD MANAGEMENT

Get control over scripts, files, code, and embedded keys by automatically eliminated hard-coded or embedded credentials.

ADVANCED WORKFLOW CONTROL

Add context to workflow requests by considering the day, date, time, and location when a user accesses resources.

THREAT ANALYTICS & REPORTING

Leverage a central data warehouse to collect, correlate, trend, and analyze key threat metrics; customize reports to meet specific needs.

ELIMINATING HARD CODED PASSWORDS WITH POWERBROKER

Controlling scripts, files, code, and embedded keys helps to close back doors to your critical systems. Getting control can be a challenge, but with PowerBroker Password Safe you can eliminate hard-coded or embedded application credentials, simplify management, and better secure the organization from exploitation of those credentials. PowerBroker Password Safe is a comprehensive solution that includes functionality like application to application password management and session management at no additional charge. PowerBroker Password Safe:

y Reduces risk by closing unknown or unmanaged back doors to your systems.

y Allows removal of hard-coded passwords from applications and scripts

y Provides an extensible REST interface that supports many languages, including C/C++, Perl, .NET, and Java

y Ensures that passwords can be automatically reset upon release

y Enforces extensive security controls to lock down access to only authorized apps

A simple step by step guide using Password Safe :

y Create an Application Security Profile in the central console

y Configure access policy to include factors such as location, certificate, date/time controls, and real-time alerts

y Write script/code to replace hard-coded passwords in applications with a REST API call

y Execute application (credentials are dynamically released through API)

y Credentials are then released and optionally cycled

y Application to application usage may be viewed in centralized audit log through delegated reporting mechanisms

y From the central console, credential use may be examined to identify approved/unapproved activity

© 2016 BeyondTrust Corporation. All rights reserved. BeyondTrust, BeyondInsight and PowerBroker are trademarks or registered trademarks of BeyondTrust in the United States and other countries. Microsoft, Windows, and other marks are the trademarks of their respective owners. May 2016

The PowerBroker Privileged Access Management Solution

The BeyondTrust PowerBroker Privileged Access Management Platform is a modular, integrated solution that provides visibility and control over all privileged accounts and users. By uniting capabilities that many providers offer as disjointed tools, the platform simplifies deployments, reduces costs, improves system security, and reduces privilege risks. Solutions include:

y Server Privilege Management: Control, audit, and simplify access to business critical systems.

y Enterprise Password Security: Provide accountability and control over privileged credentials and sessions.

y Endpoint Least Privilege: Remove excessive user privileges and control applications on endpoints.

CONTACT

North America Tel: 800.234.9072 or 480.405.9131info@beyondtrust.com

EMEATel: +44 (0)1133 970445emeainfo@beyondtrust.com

APAC Tel: +65 6701 8267apacinfo@beyondtrust.com

CONNECT

Twitter: @beyondtrustFacebook.com/beyondtrustLinkedin.com/company/beyondtrustwww.beyondtrust.com

KEY API FEATURES

y Fully integrated with PowerBroker Privileged Access Management Platform

y Scalable, fault tolerant password cache to maximum performance and availability

y Dynamic workflow and approval supporting UI and REST API activities

y Centralized audit, alerting and reporting of credential activities including: extensive command reference, check-in/check-out, password cycling, and much more