Password Management for Medium to Large Organizations

Derek A. Smith C/CISO, CISSP
Fellow at the National Cybersecurity Institute at Excelsior
College/Government IT Program Manager
Password Management for Medium to
Large Organizations: Guidance for IT
Security Policy and Network Infrastructure
Design Decisions

Insider Threat – Analysis and Countermeasures 2
Introduction
Today we focus on how medium to large
organizations decision makers can best
manage user passwords.

Password Management
 Password Protection: The front line of defense
against intruders is the password system.
Virtually all multiuser systems require that a
user provide not only a name or identifier (ID)
but also a password. The password serves to
authenticate the ID of the individual logging on
to the system. In turn, the ID provides security
in the following ways:

Why organizations still use passwords
 Passwords are cheap
 Some credentials can only be used on
compatible devices
 Other credentials + passwords create
stronger authentication.
 Legacy applications still need passwords

Deploying passwords for user
authentication

How passwords are compromised
 Devices may be compromised
 Users write them down or share them
 Passwords can be guessed
 Passwords may be stored in plaintext
 Passwords can be readily converted back
to plaintext

Password management and human
limitations
 Users are people, not machines, so their
ability to securely manage passwords is
inherently limited.

Password Strength Guidance
 One of the weaknesses of passwords is
that they can be guessed
 Attackers can use tools to brute-force
passwords
 L0phtCrack: http://www.l0phtcrack.com/ for
Windows.
 John the Ripper:
http://www.openwall.com/john/ for Windows,
Mac OS X or Linux.

Password Strength Guidance Cont.
 Users should pick hard-to-guess
passwords
 Users should choose their passwords from
the widest possible set of characters

Password Strength Guidance Cont.
 To ensure that the search space is sufficiently large:
 Passwords must be at least seven characters long.
 Passwords must contain at least one lowercase letter, at least
one uppercase letter and at least one digit.
 If technically possible, passwords must contain at least one
punctuation mark, so long as there are many (10 or more)
available punctuation marks.
 To eliminate trivial passwords, passwords should not:
 Contain the user’s name or login ID.
 Contain a dictionary word, in any language that users can
reasonably be expected to know.
 More than two paired letters (e.g. abbcdde is valid, but abbbcdd
is not).

Password management in a Global
Society
 Global organizations speak a variety of
languages. Users around the world needs
to enforce a password policy that makes
sense for all of them
 Some best practices follow from this:
1. Encourage or require users to restrict their passwords to Latin
characters, both for compatibility and to avoid input methods
which display the characters users type.
2. Do use a dictionary lookup to ensure that new passwords are
hard to guess, and do include dictionaries of non-English words
represented in Latin character sets (e.g., Pinyin, etc.).

Password reuse
 Change them regularly
 common rule - force users to change every 60
or 90 days.
 Users should not reuse old passwords
 Enforce a password rule that limits the
number of password changes that a user
can make

Password secrecy
 Users frequently behave in ways that lead
to password disclosure
 A comprehensive password policy should
explicitly forbid these behaviors
 User friendly password management tools
and processes should be provided.
 Use password synchronization and single
sign-on.

Detecting and locking out intruders
 Systems can detect repeated attempts to
sign into an account with incorrect
passwords
 Best practice is to combine several intruder lockout-
related policies:
 Apply only to regular users
 A compensating control
 Apply a high threshold before triggering an intruder lockout
 Automatically clear lockouts after a short while

Encrypting passwords: Protecting
passwords in transit and at rest.
 It is generally not safe to trust the
physical security of the
communication path between a user’s
device and the systems the user
signs into
 Use protocol level encryption
 Use IPsec where an application does
not support network-level encryption

Password synchronization pros and cons
 Synchronization reduces security:
 If a single system is very insecure, then compromising that
system will give an attacker the passwords
 for every other system which uses synchronized passwords.
 This weakness is avoided by minimizing the use of such systems
and requiring that users employ
 unsynchronized passwords on such weak systems.
 Synchronization improves security:
 Users with many passwords have trouble remembering them
and consequently tend to write them
 down. System security is reduced to the security of a piece of
paper, a note on the user’s phone, etc.
 – i.e., close to zero.

Password synchronization pros and cons
cont.
 To mitigate the risk follow these
guidelines:
 Exclude insecure systems
 Change synchronized passwords
regularly
 Force users to choose strong (hard to
guess) passwords.

Single sign-on pros and cons
 Single sign-on (SSO) is any technology
that replaces multiple, independent login
prompts with a consolidated authentication
process, so that users don’t have to
repeatedly sign in.

The help desk process for forgotten and
locked out passwords
 The help desk process
 Security challenges
 Mitigating controls
 User authentication

The challenges of password management
and mobile devices
 BYOD challenges
 1. Connectivity
 2. Cached passwords
 BYOD opportunities

What Are Privileged Accounts?
Administrative
Accounts
Owned by the system:
• Not owned by any person
or “identity”
Shared Predefined:
• UNIX root
• Cisco enable
• DBA accounts
• Windows domain
• Etc.
Application
Accounts
Hard-coded, embedded:
• Resource (DB) IDs
• Generic IDs
• Batch jobs
• Testing Scripts
• Application IDs
Service Accounts:
• Windows Service Accounts
• Scheduled Tasks
Personal
Computer
Accounts
Windows Local administrator:
• Desktops
• Laptops
Shared:
• Help Desk
• Fire-call
• Operations
• Emergency
• Legacy applications
• Developer accounts

Privilege account common practices and
risks
 Common practices:
 Storage: Excel spreadsheets, physical safes, sticky notes, locked
drawers, memorizing, hard coded in applications and services
 Resets: Handled by designated IT members, call centers, mostly
manual
 Known to: IT staff, network operations, help desk, desktop support,
developers
 Common problems:
 Widely known, no accountability
 Unchanged passwords
 Lost passwords
 Same password across multiple systems
 Simplistic passwords – easy to remember
 Passwords not available when needed

Privilege account key business drivers
 Regulatory Compliance (Sarbanes Oxley, PCI, BS7799
etc.)
 Auditing and Reporting
 Control
 Segregation of Duties
 Proactive Improvement of Information Security Practices
 Lost and Risk prevention
 Return on Investment
 Administrative Password Management
 Internal Breach
 Return On Investment
 Efficiency and Productivity

Privilege account business and technical
requirement consideration
 Exceptionally secure solution for the keys of the kingdom
 Supreme performance, availability and disaster recovery
due to its mission-critical nature
 Flexible distributed architecture to fit the enterprise
complex network topology
 Single standard solution for a multi-facet problem
 Intuitive and robust interfaces

PowerBroker Password
Safe v6.2
Martin Cannard – Product Manager

PAM – A collection of best practices
AD Bridge Privilege
Delegation
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys

Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management

Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected Resources
User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance
HTTPS RDP / SSH
RDP / SSH
Password
Safe
ProxyProxy
Privileged Session Management

All actions are indexed
and searchable, along
with any keystrokes
recorded.
Clicking on an action will
immediately jump you to
that index point of the
recording. Timestamps
may optionally be
displayed, as well as
toggling between showing
keystrokes only, or
keystrokes plus actions.
Privileged Session Management

Differentiator:
Adaptive Workflow Control

Adaptive Workflow Control
• Day
• Date
• Time
• Who
• What
• Where

Differentiator:
Controlling Application Access

Automatic Login to ESXi example
Browser
RDP Client
ESX
RDP (4489) RDP (3389)
User selects
vSphere application
and credentials
vSphere RemoteApp
Credential
Checkout
Credential Management
User
Store
Session Recording / Logging
HTTPS

Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH
application and
credentials
SSH Application
Credential
Checkout
Session Recording / Logging
HTTPS

Differentiator:
Reporting & Analytics

What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users

Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester

Password Management for Medium to Large Organizations

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (19)

Mais de BeyondTrust

Mais de BeyondTrust (20)

Último

Último (20)

Password Management for Medium to Large Organizations