Catch the full webinar here: https://www.beyondtrust.com/resources/webinar/password-management-medium-large-organizations-guidance-security-policy-network-infrastructure-design-decisions/
This presentation taken from the webinar, Password Management for Medium to Large Organizations: Guidance for IT Security Policy and Network Infrastructure Design Decisions, of cybersecurity expert Derek A. Smith (C/CISO and CISSP) of Cybersecurity Initiatives, explores best practices for password management, with a focus on privileged passwords.
Check out this presentation for a taste of the webinar and to get guidance and recommendations to make informed decisions on password management security policy and to design network infrastructure that includes password management.
Topics covered include:
Why organizations still use passwords
Deploying passwords for user authentication
How passwords are compromised
Password management and human limitations
Password Strength Guidance
Password management in a Global Society
Password reuse
Password secrecy
Detecting and locking out intruders
Encrypting passwords: Protecting passwords in transit and at rest.
Password synchronization pros and cons
Single sign-on pros and cons
The help desk process for forgotten and locked out passwords
The challenges of password management and mobile devices
What are privileged users
The challenges for securing privileged accounts
Privilege account common practices and risks
Privilege account key business drivers
Privilege account business and technical requirement consideration
Password Management for Medium to Large Organizations
1. Derek A. Smith C/CISO, CISSP
Fellow at the National Cybersecurity Institute at Excelsior
College/Government IT Program Manager
Password Management for Medium to
Large Organizations: Guidance for IT
Security Policy and Network Infrastructure
Design Decisions
2. Insider Threat – Analysis and Countermeasures 2
Introduction
Today we focus on how medium to large
organizations decision makers can best
manage user passwords.
3. Insider Threat – Analysis and Countermeasures 3
Password Management
Password Protection: The front line of defense
against intruders is the password system.
Virtually all multiuser systems require that a
user provide not only a name or identifier (ID)
but also a password. The password serves to
authenticate the ID of the individual logging on
to the system. In turn, the ID provides security
in the following ways:
4. Insider Threat – Analysis and Countermeasures 4
Why organizations still use passwords
Passwords are cheap
Some credentials can only be used on
compatible devices
Other credentials + passwords create
stronger authentication.
Legacy applications still need passwords
5. Insider Threat – Analysis and Countermeasures 5
Deploying passwords for user
authentication
6. Insider Threat – Analysis and Countermeasures 6
How passwords are compromised
Devices may be compromised
Users write them down or share them
Passwords can be guessed
Passwords may be stored in plaintext
Passwords can be readily converted back
to plaintext
7. Insider Threat – Analysis and Countermeasures 7
Password management and human
limitations
Users are people, not machines, so their
ability to securely manage passwords is
inherently limited.
8. Insider Threat – Analysis and Countermeasures 8
Password Strength Guidance
One of the weaknesses of passwords is
that they can be guessed
Attackers can use tools to brute-force
passwords
L0phtCrack: http://www.l0phtcrack.com/ for
Windows.
John the Ripper:
http://www.openwall.com/john/ for Windows,
Mac OS X or Linux.
9. Insider Threat – Analysis and Countermeasures 9
Password Strength Guidance Cont.
Users should pick hard-to-guess
passwords
Users should choose their passwords from
the widest possible set of characters
10. Insider Threat – Analysis and Countermeasures 10
Password Strength Guidance Cont.
To ensure that the search space is sufficiently large:
Passwords must be at least seven characters long.
Passwords must contain at least one lowercase letter, at least
one uppercase letter and at least one digit.
If technically possible, passwords must contain at least one
punctuation mark, so long as there are many (10 or more)
available punctuation marks.
To eliminate trivial passwords, passwords should not:
Contain the user’s name or login ID.
Contain a dictionary word, in any language that users can
reasonably be expected to know.
More than two paired letters (e.g. abbcdde is valid, but abbbcdd
is not).
11. Insider Threat – Analysis and Countermeasures 11
Password management in a Global
Society
Global organizations speak a variety of
languages. Users around the world needs
to enforce a password policy that makes
sense for all of them
Some best practices follow from this:
1. Encourage or require users to restrict their passwords to Latin
characters, both for compatibility and to avoid input methods
which display the characters users type.
2. Do use a dictionary lookup to ensure that new passwords are
hard to guess, and do include dictionaries of non-English words
represented in Latin character sets (e.g., Pinyin, etc.).
12. Insider Threat – Analysis and Countermeasures 12
Password reuse
Change them regularly
common rule - force users to change every 60
or 90 days.
Users should not reuse old passwords
Enforce a password rule that limits the
number of password changes that a user
can make
13. Insider Threat – Analysis and Countermeasures 13
Password secrecy
Users frequently behave in ways that lead
to password disclosure
A comprehensive password policy should
explicitly forbid these behaviors
User friendly password management tools
and processes should be provided.
Use password synchronization and single
sign-on.
14. Insider Threat – Analysis and Countermeasures 14
Detecting and locking out intruders
Systems can detect repeated attempts to
sign into an account with incorrect
passwords
Best practice is to combine several intruder lockout-
related policies:
Apply only to regular users
A compensating control
Apply a high threshold before triggering an intruder lockout
Automatically clear lockouts after a short while
15. Insider Threat – Analysis and Countermeasures 15
Encrypting passwords: Protecting
passwords in transit and at rest.
It is generally not safe to trust the
physical security of the
communication path between a user’s
device and the systems the user
signs into
Use protocol level encryption
Use IPsec where an application does
not support network-level encryption
16. Insider Threat – Analysis and Countermeasures 16
Password synchronization pros and cons
Synchronization reduces security:
If a single system is very insecure, then compromising that
system will give an attacker the passwords
for every other system which uses synchronized passwords.
This weakness is avoided by minimizing the use of such systems
and requiring that users employ
unsynchronized passwords on such weak systems.
Synchronization improves security:
Users with many passwords have trouble remembering them
and consequently tend to write them
down. System security is reduced to the security of a piece of
paper, a note on the user’s phone, etc.
– i.e., close to zero.
17. Insider Threat – Analysis and Countermeasures 17
Password synchronization pros and cons
cont.
To mitigate the risk follow these
guidelines:
Exclude insecure systems
Change synchronized passwords
regularly
Force users to choose strong (hard to
guess) passwords.
18. Insider Threat – Analysis and Countermeasures 18
Single sign-on pros and cons
Single sign-on (SSO) is any technology
that replaces multiple, independent login
prompts with a consolidated authentication
process, so that users don’t have to
repeatedly sign in.
19. Insider Threat – Analysis and Countermeasures 19
The help desk process for forgotten and
locked out passwords
The help desk process
Security challenges
Mitigating controls
User authentication
20. Insider Threat – Analysis and Countermeasures 20
The challenges of password management
and mobile devices
BYOD challenges
1. Connectivity
2. Cached passwords
BYOD opportunities
21. Insider Threat – Analysis and Countermeasures 21
What Are Privileged Accounts?
Administrative
Accounts
Owned by the system:
• Not owned by any person
or “identity”
Shared Predefined:
• UNIX root
• Cisco enable
• DBA accounts
• Windows domain
• Etc.
Application
Accounts
Hard-coded, embedded:
• Resource (DB) IDs
• Generic IDs
• Batch jobs
• Testing Scripts
• Application IDs
Service Accounts:
• Windows Service Accounts
• Scheduled Tasks
Personal
Computer
Accounts
Windows Local administrator:
• Desktops
• Laptops
Shared:
• Help Desk
• Fire-call
• Operations
• Emergency
• Legacy applications
• Developer accounts
22. Insider Threat – Analysis and Countermeasures 22
Privilege account common practices and
risks
Common practices:
Storage: Excel spreadsheets, physical safes, sticky notes, locked
drawers, memorizing, hard coded in applications and services
Resets: Handled by designated IT members, call centers, mostly
manual
Known to: IT staff, network operations, help desk, desktop support,
developers
Common problems:
Widely known, no accountability
Unchanged passwords
Lost passwords
Same password across multiple systems
Simplistic passwords – easy to remember
Passwords not available when needed
23. Insider Threat – Analysis and Countermeasures 23
Privilege account key business drivers
Regulatory Compliance (Sarbanes Oxley, PCI, BS7799
etc.)
Auditing and Reporting
Control
Segregation of Duties
Proactive Improvement of Information Security Practices
Lost and Risk prevention
Return on Investment
Administrative Password Management
Internal Breach
Return On Investment
Efficiency and Productivity
24. Insider Threat – Analysis and Countermeasures 24
Privilege account business and technical
requirement consideration
Exceptionally secure solution for the keys of the kingdom
Supreme performance, availability and disaster recovery
due to its mission-critical nature
Flexible distributed architecture to fit the enterprise
complex network topology
Single standard solution for a multi-facet problem
Intuitive and robust interfaces
26. PAM – A collection of best practices
AD Bridge Privilege
Delegation
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys
27. Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
28. Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected Resources
User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance
HTTPS RDP / SSH
RDP / SSH
Password
Safe
ProxyProxy
Privileged Session Management
29. All actions are indexed
and searchable, along
with any keystrokes
recorded.
Clicking on an action will
immediately jump you to
that index point of the
recording. Timestamps
may optionally be
displayed, as well as
toggling between showing
keystrokes only, or
keystrokes plus actions.
Privileged Session Management
38. What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
39. Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester