products:

Sorry,

there are no posts to show...


Helpful Resources

News:

As cyber-attacks become more frequent and sophisticated, addressing tighter security needs has become a priority for the federal government. Enforcement of “Controlled Unclassified Information” (CUI) protection continues to intensify as private contractors and organizations are now required to upgrade their cybersecurity systems and overall procedures to keep up with these increasing threats. On April 24, 2018, the Department of Defense (DoD) issued draft guidance for assessing contractors’ System Security Plans (SSPs) and the implementation of security controls in NIST Special Publication (SP) 800-171.  If you’re a defense contractor, you’re required to comply with these regulations and provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. DoD issued two draft guidance documents. The first, “Assessing the State of a Contractor’s Information System,” provides guidance on four different objectives.  They include what must be in an RFP, how the source selection authority would evaluate the requirement, what resources are available for that evaluation, and the contract provisions that will be needed to implement the requirement during performance. The second draft guidance document, “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” was developed by DoD to determine the risks that an unimplemented security control has on an information system, and which of the unmet controls need to be prioritized. What does “adequate security” mean? At a minimum, defense contractors must implement the requirements in NIST SP 800-171 to become compliant. Contractors need to provide an SSP to prove the implementation of the security requirements, and also develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met.

Unimplemented Controls Receive a Value Rating

NIST 800-171 is comprised of 110 technical controls to ensure the best security policies and procedures.  DoD has decided to assess the risk of unimplemented controls by assigning a “DoD Value” for each security requirement ranging from 5 (highest impact on the cybersecurity system) to 1 (lowest impact on the cybersecurity system). These priority codes are used for priority rankings that NIST assigns to the NIST SP 800-53 Revision 4 security controls that are used for government information systems and which form the basis for NIST SP 800-171.

Non-Compliance is Not an Option 

In 2018, proposed DOD guidance is already moving to full enforcement of compliance. Compliance failures can lead to more serious consequences than a data breach.  Failure to comply with DFARS can lead contractors to incur penalties either by the United States Government (civil, criminal, contractual actions in law and administrative), or by individuals and private organizations that were damaged by lack of compliance (actions for damages).

  • Bid Protests: While SSPs and POA&Ms are important for determining “adequate security,” it’s still unclear the exact part they’ll play in bid protests and the implementation of NIST SP 800-171. After reviewing the implementation status during the pre-award stage, the DoD can make an unacceptable or acceptable determination, and ultimately decide if the contract should be rewarded. Another option is to evaluate implementation as a “separate technical evaluation factor.” During the pre-award process, contractors may choose to protest terms where a solicitation’s treatment of NIST SP 800-171 implementation fails to be consistent with DoD’s guidance. On the other hand, if a contract was rewarded to another contractor, disappointed offerors may consider challenging the award to another offeror where the assessment of the protester’s or awardee’s implementation of NIST SP 800-171 is inconsistent with the guidance documents. If the DoD notices inconsistencies between the implementation of NIST SP 800-171 and your SSP and POA&M, they could award the contract to another contractor. During 2018, contract protests awarded to higher-priced bidders were based in part on compliance with cybersecurity and employing more than the minimum security requirements in NIST SP-800-171.
  • Termination Risk: The accuracy of your SSP and POA&M, along with providing proof that you’re moving toward full compliance, is crucial. For the most accurate evaluation, the draft guidance states that solicitations and contracts must include contract data requirements (CDRLs) to “require delivery of System Security Plan and any Plans of action after contract award.” Now that both SSPs and POA&Ms are a contractual obligation, failure to be in compliance may provide a basis for termination if compliance isn’t completed. Or, if the SSP does not accurately state the implementation status of the contractor’s cybersecurity.
  • DCMA Audits: DoD has recently stated that as part of its audit function, DCMA will pull out all the stops to confirm all contractors have an SSP and POA&M.  However, DCMA will not be providing an analysis if the SSP fully complies with the NIST 800-171 security requirements. It’s unknown at this point if the DCMA would leverage any of DoD’s guidance in its review.
  • False Claims Act: If a contractor is audited by DoD and found not to have implemented DFARS/NIST 800-171, the contractor can be on the receiving end of numerous penalties. For example, if your SSP misrepresents your actual cybersecurity status, DoD can bring an action based on fraud, which is a False Claims Act violation. DoD may also be able to prove that the original SSP was key to the Department’s award decision. If DoD’s argument is successful, your earnings under the original contract are at risk, along with the reputation of your organization.

Make Compliance a Priority Before it’s Too Late!

At CyberSheath, we know that implementing these new security controls can seem like a daunting undertaking. We’ve successfully assessed and implemented the required NIST 800-171 controls for leading organizations in the defense industrial base supply chain.

CyberArk is considered a global leader and pioneer in providing privileged access security, and for good reason.

Because CyberArk provides the most advanced Privileged Account Management (PAM) solutions in one incredible platform CyberSheath made the strategic decision to build out our PAM professional services with a CyberArk focus.   One of the challenges for our mid-sized managed services customers was fitting CyberArk capabilities into resource-constrained budgets. CyberArk, trusted by the world’s leading businesses, and more than 50% of Fortune 100 companies, was often inaccessible to mid-sized businesses. We are happy to report, that has changed and CyberSheath now offers CyberArk as a flexible, multi-tenant, pay-as-you-go-managed service offering!

CyberArk’s Advanced Security Solutions are Accessible and Affordable to Mid-Sized Businesses

CyberArk recently unveiled an expanded offering for Managed Security Service Providers (MSSPs) like CyberSheath, featuring groundbreaking multi-tenant, pay-as-you-go-option. The new groundbreaking multi-tenant offering allows CyberSheath to extend the reach of the CyberArk Privileged Account Security Solution to companies of all sizes. CyberSheath can now enable you to meet your compliance and operational PAM objectives for DFARs 252.204-7012, NIST 800-171, Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard, General Data Protection Regulation (GDPR) and more.

The multi-tenant version of the Privileged Account Security Solution offers consumption-based pricing to meet the unique needs of mid-sized businesses.

CyberArk’s flexible pay-as-you-go method enables CyberSheath to offer CyberArk’s advanced solutions without the huge up-front costs. CyberSheath delivers privileged access security as a single or multi-tenant solution, and your business only pays for what is deployed.

CyberArk’s pay-as-you-go model opens up privileged access to those businesses that previously lacked the funds or bandwidth for a large upfront investment. Mid-sized businesses will no longer be left out in the cold from obtaining CyberSheath’s award-winning PAM professional services, previously only affordable to larger organizations. CyberSheath can now help your business reduce privileged-related security risk from malicious insiders and external attackers leveraging the best PAM solution on the market.

CyberSheath offers a wide range of managed security services to a diverse range of customers, improving overall security and IT operations across multiple platforms. With CyberArk PAM now a part of that offering for mid-sized businesses we can easily accelerate onboarding, and control and monitor their privileged accounts 24/7.

CyberArk’s MSSP offering enables customers to scale their privileged-access security offering over time, and, most importantly, improve overall security. CyberSheath’s privileged-access security professional and managed services, leveraging a best in class capability, reduce risk across all environments — on-premises, in hybrid-cloud environments and at the endpoint.

CyberSheath is the Most Trusted CyberArk Professional Services Provider

We’re the most trusted experts in privileged account security. That’s why more organizations choose CyberSheath for the highest quality implementation of all CyberArk professional service and managed services. We’ve been delivering CyberArk managed services for some of the largest customers in the defense, financial and utility sectors for years and now we are thrilled to offer these services to mid-market customers.

Let CyberSheath protect and monitor your privileged accounts, enable compliance with all regulatory requirements and measurably improve your operational security.

Your organization is always looking for ways to increase security, ensure reliability, and reduce costs. One way to accomplish this is to leverage the power, flexibility, and cost-effectiveness of cloud solutions. With CyberArk now officially supporting the cloud deployment of their privileged access solution, it’s time for you to reap the benefits of deploying your privileged account management (PAM) solution in the cloud.

CyberSheath can help. Over the past several months, our engineers have been working with organizations like yours to assist them in gaining all the benefits of migrating and deploying their CyberArk solutions in the cloud.

Here are Compelling Reasons to Run CyberArk in the Cloud

Shifting to cloud deployment makes sense for a few important reasons. Also, it’s important to note that currently, CyberArk’s PAM solution is supported on Microsoft Azure and Amazon Web Services.

Cloud deployment of your CyberArk solution can result in:

  • Lower cost – See below cost example of running CyberArk on Azure or AWS for a year. Cloud deployment also helps you reduce the number of infrastructure support teams and resources needed, further benefitting your bottom-line.

  • Improved reliability – AWS and Azure both carry up-time guarantees, which takes the onus off of your infrastructure. The simplified cloud-based solution means less down-time caused by having the application dependent on multiple teams and other layers of the architecture. AWS, in particular, offers many powerful yet simple options to make the application fault-tolerant and rapidly recoverable.
  • Increased flexibility – By deploying CyberArk in the cloud, you can painlessly and quickly enhance architecture designs as needed. You can rapidly deploy an entire application environment for a proof of concept within hours and then throw it away when finished. Also, hybrid architectures are possible, making stepping into the cloud easy and painless. For example, sometimes it makes sense to keep the Vault server hosted on-site and deploy all or additional component servers into the cloud.

Think Moving to the Cloud is Right for You?

Consider the following:

  • Investing in your cloud administrator resources will make sure you get the most benefit out of deploying CyberArk in the cloud.
  • Moving the keys to your organization into the cloud means you need to properly secure access to cloud service management tools. Be sure to design access and roles to be aligned with the cloud service provider’s best security practices.
  • Best security practices for the network architecture in the cloud can enhance your existing security design, but only if integrated properly. Security concerns and solutions vary between cloud service providers. Be sure your deployment follows both the cloud vendor and Cyberark’s best practices.

CyberSheath engineers certified in both CyberArk and cloud services can manage the entire solution for your organization. Contact us – and to see how we can help move your CyberArk solution to the cloud.

 

You’ve done some of the hard work already. Your organization is onboard with ramping up cybersecurity efforts – and you’ve even acquired CyberArk to help support your Privileged Account Management (PAM) efforts.

Now it’s time to implement your PAM solution.

As you know, a PAM system helps prevent the theft of highly privileged credentials – and better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.

But implementing a PAM solution can seem like a daunting task – and you don’t want a breach at your organization to be your incentive to move forward. How do you get started and make sure your PAM solution doesn’t become shelfware?

Gain traction of your PAM project with a phased approach.

At CyberSheath, we have seen many organizations in various levels of PAM maturity. In our experience, a phased approach is the best way to deploy a PAM solution. This method enables you to tackle finite pieces of the project quickly – and helps you make a positive impact on your organization’s security in as few as 30-days. We recommend running each phase as a sprint (usually targeted to take 30 days). Keep in mind that sometimes a phase will need to be divided into mini-sprints.

Here are the top-level phases to help you craft your PAM approach. While you may shift the order of phases to fit your organizational priorities and infrastructure complexity, we have found this hierarchy of action to be effective at rapidly identifying and remediating key security gaps.

PhaseArea of focusWhat it isWhy it is a priorityWhat you need to do
1Built-in Local AccountsFor Windows, a built-in account is a type of user account that is created during installation.These accounts have passwords that are known to multiple people – some of whom have probably left your organization. Often the same password is used across multiple systems enabling lateral Pass-the-Hash attacks to gain access to much of your infrastructure. These accounts are homogeneous and tend to be the easiest to onboard as a first step in your PAM initiative.
  • Identify and onboard buy-in accounts for Windows (Administrator) on servers and desktops, Unix (root).
  • Enable password rotation on all accounts.
2Domain AdminA built-in group on Microsoft Active Directory, the Domain Admin is typically assigned to administer all domain servers. Members of this group have full administrative rights to many components of the corporate infrastructure.These few accounts are a master key, having access to everything. Securing this small group is a fast way to help safeguard your systems.
  • Onboard Domain Admin accounts into CyberArk.
  • Switch to the ‘shared privileged account model’ and revoke individual domain-admin permissions.
3Database, Exchange, and Application AdminsDatabase, Exchange, and application administrators manage and maintain database management systems and application software.This is where the data is. These accounts control access to all the intellectual property at your company.
  • Isolate and monitor Tier 1 assets.
  • Onboard any privileged database and Exchange admin accounts.
4Network DevicesNetwork devices are components used to connect computers or other electronic devices together so that they can share files or resources.Access to your network can be an entry point to any other systems at your organization.
  • Identify any onboard network devices, business apps, and security appliances.
5Service AccountsA service account is a user account created explicitly to provide a security context for services running on various a operating systems and applications.Often these accounts have high-level access – and passwords compromised on one of these accounts provides a foothold for access across your network. Passwords on these accounts often have not been changed in years – so security is suspect.
  • Identify and begin addressing the management of service and App IDs.
  • Purchase additional licensing as required.
6Corporate AccountsExternal accounts are created in your company’s name and provide third-party services not available internally. Examples include Twitter, Facebook, and credit and bank accounts.Unauthorized access to these accounts can adversely impact your brand and your bottomline.
  • Protect corporate communications and external financial systems accounts.
7Desktop ComputersThese are assets given to employees to support their work and productivity including desktop and laptop computers.Individual desktops can provide an entrance point for hackers to infiltrate corporate systems as passwords tend to never change and often passwords are the same across all devices.
  • Enable only specific users to elevate their permissions.
  • Limit which apps and commands can be run by which users.

Here’s a useful graphic to help with planning the phased approach for your PAM solution. Download it for your reference.

 

Stay tuned for more information coming soon on how to prepare for and scope an individual sprint to tackle one or more of these areas.

If you would like experienced help identifying or implementing PAM phases for your organization, you can rely on CyberSheath’s skilled SMEs. Contact us to learn more and to get started.

What do you and your security team need to successfully improve privileged access controls? The first blog in this series offered direction on making the core decisions that power your overall strategy. Next we recommended ways to engage stakeholders across your organization. Now it’s time to provide guidance on the team, techniques, and tools you’ll need to drive this initiative.

Here’s What You Need to Get It Done

  1. Realistic expectations

Make sure you go into your privilege account management (PAM) deployment with a clear view of the process and its impacts on your organization. It is common to scope the initial “quick win” phases to be completed in a matter of weeks, in order to gain traction and prove the value of the initiative. From there, the initiative is often launched with a phased approach. Rolling-out better-privileged access controls across an enterprise can typically be a year to multi-year effort. Your organization can expect to see results in terms of risk reduction almost immediately after deploying improved controls around the first set of accounts.

During implementation, there will be some temporary disruption to business processes. Post-deployment, business processes are often sped up. If well-planned, improving privileged access controls can provide benefits such as increased efficiency, fewer user errors, increased uptime, and easier troubleshooting. After the initial deployment, an ongoing effort will be required to ensure that privileged access controls keep up with changes in the environment.

  1. The right people with the right skillsets

PAM deployments can be fairly complex to deploy and maintain. Solutions typically touch multiple IT domains (Windows, Unix, databases, network devices, etc.) and require a broad set of skills from basic troubleshooting to creating custom scripts and code. This typically requires at least two dedicated engineering resources, a project manager, a service owner, and some engagement from professional services.

Required skillsets include:

  • Technical/design – Members of the security team must be skilled in handling technical issues, and questions and any arguments that might arise. Areas of expertise should include:
    • The infrastructure used in the organization
    • Platforms such as Microsoft Windows and Linux
    • Applications and databases
    • Application development practices with respect to permissions
    • Privileged account security controls
    • Security control design
    • Processes around technology service management
  • Security governance and risk – The team should be able to help business and IT leaders make governance and risk decisions and guide the optimization of policies and processes. This requires a thorough understanding of business operations and goals. Knowledge of identity and access management (IAM) and account provisioning and maintenance practices are also important aspects.
  • Project management – A large-scale privileged access security initiative requires methodical planning and has many moving parts. You will need people with strong project management skills on the team to keep all of the various stakeholder groups aligned and focused on what needs to be done and to make sure it happens.
  • Soft skills – The security team will need people with diplomatic skills and an aptitude for negotiation, politics, and communication. Members of the team need to be able to explain why new processes need to be followed and be competent at listening to stakeholders and taking their concerns into consideration.
  1. Measurable and meaningful metrics

Your PAM deployment needs to deliver results and measurable outcomes. Metrics are valuable to illustrate the need for better controls, measure improvements, and demonstrate the value of the program.
Use metrics to:

  • Test effectiveness of controls – Through penetration tests, measure the potential vulnerabilities of credentials and show how vulnerabilities have been reduced after implementing improvements. Test how long it would take for an attacker to get control of domain admin accounts.
  • Show when to make course corrections – Measure access violations before and after implementing control changes. Be prepared to rework controls if expected results are not materializing.
  • Gauge the effect of controls on efficiency – Calculate the amount of time admins are spending on tedious tasks, such as resetting passwords.
  • Measure how the controls impact system availability – Applications with embedded credentials must periodically go through scheduled downtime so credentials can be changed. Take note of the amount of downtime required. Admin errors can inadvertently bring down a system. Compare the time required to recover from an outage before and after implementing control changes.
  • Assess impact on application performance – Test application performance and functionality before and after removing embedded passwords from applications.
  1. A plan with milestones

After identifying priorities, you’ll need to further break down the identified priority areas into phases. Here is one approach to how to phase your PAM deployment.

  • Phase 0: Installation and basic configuration of the PAM solution
  • Phase 1: Built-in accounts – Identify and onboard built-in accounts and enable password rotation on the accounts.
  • Phase 2: Domain admins and individual account privilege revocation – Address the onboarding of domain admin accounts into CyberArk. Isolate and monitor sessions of Tier 0 assets. Remove or minimize any local server privileged accounts or users that have been added to the “Administrators” group on local servers, with the exception of any that are required for service accounts. Create a process to do this as an ongoing process.
  • Phase 3: Databases, exchange admins and Tier 1 session isolation – Isolate and monitor Tier 1 assets. Onboard any privileged database and exchange admin accounts you may have.
  • Phase 4: Network devices, business apps, security systems, legacy systems – Identify any onboard network devices, business apps, and various security appliances. Use Privilege Session Management and the PAM’s MFA capability to protect privileged account access to legacy systems.
  • Phase 5: Service accounts – Identify and begin addressing the management of service and App IDs.
  • Phase 6: Desktop least privileged model and whitelisting of apps (OPM/EPM) – Allow only certain users to elevate their permissions. Limit which apps and commands can be run by which users.
  • Phase 7: Corporate accounts – Protect corporate communication and external financial systems accounts and other accounts. Use privilege session management to allow users to use these accounts without revealing the password.

Keep your momentum. Implementing more advanced controls across a large enterprise often requires a certain persistence and fortitude. A common reporting model is a weekly status meeting for the project team and a monthly review by an executive steering committee.

  1. The Right Tools

Start by understanding your strategic goals and formulating your approach, then find tools that will help achieve those goals. Take the time to select privileged account security and management tools that support your specific security and enterprise requirements. Adopt processes to get the most out of tools and to help you stay on track. Some technology features that are especially important include the ability to:

  • Securely store credentials in an encrypted vault
  • Create a single sign-on environment
  • Uniquely identify users and restrict their use of privileged accounts
  • Limit the length of privileged sessions for a user or application
  • Centrally monitor and record the use of privileged accounts
  • Automate password changes to run on schedule or trigger when an employee leaves the organization
  • Scale and meet performance demands in a large enterprise environment
  • Integrate with the organization’s infrastructure, applications, and other security technologies

Other key tools and technologies that can be helpful include:

  • Enhanced monitoring and alerting systems such as Security Information and Event Management systems (SIEM) and Security Analytics/Big Data Platforms
  • Technology for two-factor authentication to be used for remote access, third parties, and infrastructure administrators who have root or domain admin privileges

The theft of privileged credentials and privilege escalation are key stages in most successful cyber attacks. Today’s threat environment is prompting many enterprises to address the gaps in their security program to better protect privileged credentials. It requires a strong combination of technical and soft skills, a methodical project plan, appropriate tools, and persistence.

CyberSheath has helped implement comprehensive enterprise-wide initiatives in privileged account security. We work with over 50 organizations ranging from the largest financial, healthcare, and development firms with thousands of users to new implementations at organizations with only a handful of IT users. Contact us to get your PAM initiative started.

You’ve made the three decisions necessary to start building your privileged account management (PAM) plan. The next step is to build consensus and create stakeholder buy-in by having four pivotal conversations with key members of your executive, business process, and IT teams.

Who You Should Talk to – And What You Should Say

Executive Team – Lead with, “It’s time to make privileged account management a priority.”

Getting Ready & Intel

  • Secure buy-in from the top – The initial deployment will require senior leadership to understand the risks of unsecured privileged accounts, and just as importantly they will need to specify deadlines by which all privileged accounts need to be compliant. The prioritization of a successful PAM project will be driven from the top down. In addition to establishing accord with the CIO/CTO/CISO, It’s important that you have engagement with the compliance and financial executives.
  • Garner support to obtain budget and resources – Executive leadership can rally employees to make your PAM initiative an organizational priority, impart a sense of urgency and ownership across the organization, and prevent it from being derailed by minor issues.

Talking Points

  • Analysis of high-profile breaches – Describe how privileged access controls factored into particular breaches and relate it to your company’s own risk profile.
  • Penetration testing results – Assess how long it would take for a skilled adversary to compromise your organization’s privileged accounts. Show what assets an attacker can get to.
  • Benchmarking – Reference industry practices for securing privileged access.
  • Compliance requirements – Outline the privileged access regulations applicable to your organization.
  • Proof-of-concept results – Do a proof-of-concept in which you implement increased privileged account monitoring and report on the results.

Business and IT Process Owners – Lead with, “Let’s optimize how privileged credentials are used.”
Getting Ready & Intel

  • Emphasize teamwork and desire to increase task efficiency with initiative – Privileged accounts will be involved at some level in almost every critical business and IT process. For the most part, improving the security around privileged accounts will not deeply affect existing processes. Work closely with the owners of these processes to understand the underlying credential usage, and bring that knowledge into the design of controls and see opportunities to improve security, streamline tasks, and reduce errors.
  • Make business users allies – By helping leaders in business and IT to improve the security and efficiency of their processes, your security team can gain important allies. If prominent leaders in business and IT are champions of the initiative to improve privileged access controls, it can influence the privileged users within their groups.

Talking Points

  • Who needs elevated privileges and when – Review how privileges are used as an opportunity to reinforce the principle of least privilege.
  • Feasibility of restricting an account’s use of certain commands – Talk about automated privileged access technology and how granular restrictions can be enforced.
  • Risks and process change necessities – Balance the level of protection with the need to meet other business goals such as efficiency.
  • Principle of separation of duties for this process – Look for ways to redesign processes so that technology automatically enforces separation of duties.
  • Preventable error patterns – Talk about configuring controls to ensure certain steps require approval.
  • Applications in use – Uninstall applications with embedded credentials if the application is no longer used.
  • Session script requirements – Consider redesigning a script so that it requires shorter privileged sessions.

IT Admins and Other Privileged Users – Lead with, “We’re going to change privileged access procedures for the better.”

Getting Ready & Intel

  • Show empathy and challenge perceptions – Buy-in from IT Admins is essential for the success of your PAM initiative. The “default” view of IT administrators is that they could do their job better with unfettered access and freedom to choose their own tools. They may see any additional steps or restrictions as making their job harder and slowing them down.
  • Select security team spokesperson wisely – The team member that you put in charge of this type of conversation needs to articulate the threat and technical knowledge of the platforms and applications involved. If your security team doesn’t deal with objections at a detailed technical level, it’s possible that the process will be derailed.
  • Know that other privileged users are typically more accepting – Staff in non-IT roles who have privileged access – such as those who need to work with financial reports and bank accounts – tend to be more accepting of new controls.

Talking Points

  • Changes to workflow – Demonstrate that the PAM effort will streamline some tasks and make how they operate with credentials much more efficient .
  • Strong executive mandate – Discuss the importance of the initiative and persuade administrators to accept changes.

Developers – Lead with, “How can we better secure the use of privileged credentials in these apps?”

Getting Ready & Intel

  • Acknowledge that refactoring applications can be a challenge – Many applications, scripts, and configuration files include hardcoded privileged credentials. There are inherent difficulties in updating older code and platforms make it hard to operate with less than the highest possible permissions.

Talking Points

  • The right level of privilege for each application – Work together to determine the privilege rights for all your organization’s applications.
  • Understanding least and excessive privileges – Discuss the principle of least privilege. Help developers understand the consequences of excessive privileges.

Handling objections
Be prepared to manage objections that may emerge during deployment.

  • “You can’t take away those rights – I need them!” – Often you will need to convince people that the privileges they are losing are not necessary. Point out that the change protects them by reducing the risk that their accounts will be compromised.
  • “I tried it and it doesn’t work.” – As changes to controls are implemented, users may report problems. Proactively set up a process ahead of time for responding to concerns. Be responsive as people adopt new processes and technologies. Maximize usability of the control design.
  • “I don’t have time for this.” – When you encounter pushback, strong executive sponsorship of the initiative is extremely important. Focus on the value you bring to users and help them to see the benefits.
  • “This feels like Big Brother.”  – Administrators can be sensitive about increased monitoring. Reassure them and address governance issues such as what reports are run when and by whom.

Technical expertise and soft skills are needed to pull off these conversations. The third and final blog will expand on the skillsets you need to be successful and will explore some of the elements of an effective PAM deployment.

And if you’d like assistance from our team on how to have these conversations with your stakeholders, contact us. We’ll here to help.

With cyberattack headlines in the news each week, it’s more important than ever to do everything possible to safeguard your systems and data. One way to accomplish this to prevent the theft of highly privileged credentials. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.

How do you improve your privileged account management?

This blog is the first in a series of three articles where we walk you through decisions you need to make to power your strategy, conversations you should have to create stakeholder buy-in, and resources you require to launch your privileged access initiative. Let’s start by discussing the core decisions your organization needs to make at the outset of the process.

  1. What should you do and when? You need to prioritize what accounts require better protection and be aware of when to make changes. A focus on privileged accounts must be done within the context of your overall security strategy and weighed against other goals. Be aware that if privileged credentials are not properly secured, other controls meant to protect the infrastructure could be rendered ineffective.
    • Conduct an initial “baseline” discovery of privileged accounts. Before beginning privileged account management (PAM) deployment, perform an initial discovery of the privileged accounts in your environment. Using a tool such as “DNA” from CyberArk can give you valuable insight into the types of accounts that exist at your organization. Having a good baseline report will help you create a phased approach to securing the privileged accounts.
    • Evaluate risks and prioritize implementation. Determining order of priority requires identifying which accounts represent the biggest risks. Focus on accounts that provide elevated access to the organization’s most critical systems and build your PAM plans from there. Engage the compliance department early, to understand the requirements behind reporting and various security controls.
    • Plan the timing and rollout of your PAM project. Once you’ve conducted a discovery, you may be in for a surprise as to just how many privileged accounts you have. Given the scope and reach of the project, it will make sense to adopt a phased approach. Deploy at least a limited proof-of-concept demo to help you identify any immediate limitation in the vendor’s platform that may require custom development for your organization. We’ll be discussing how to plan your rollout in further detail in the third blog in this series – so stay tuned for that valuable information.
  1. What’s the best mix of controls? There are many options for how to proceed. The right approach for your organization requires intelligently deploying the most effective controls for each privileged account access use case.
    • Take a layered approach. Reducing the risks around privileged accounts requires a layering of preventive and detective controls. Preventive controls can help stop the unauthorized activity. Detective controls can help to discover it when it occurs, either maliciously or by mistake before any significant damage occurs and/or provide an audit trail and accountability.
    • Use detective controls to avoid over-limiting access. The use of detective controls can often help in achieving the balance between enabling and restricting access. Rather than putting in place preventive controls that may be overly restrictive, in some cases, a better approach would be less restrictive access that is carefully monitored for any violations. Detective controls are especially important in cases where increasing restrictions is simply not feasible.
    • Secure credentials used by applications and scripts. Credentials used by applications and scripts often need better security controls. If possible, applications should meet the following requirements:
      • The credentials for the account should be stored securely.
      • The account password or SSH key should be changed regularly.
      • The application should be designed using the principle of least privilege.
    • Use compensating controls for embedded credentials. For applications that cannot be refactored right away, compensating controls might be appropriate such as:
      • Configure the account to be non-interactive and unusable for logging on.
      • Increase monitoring on the accounts.
      • Use analytics to detect possible misuse of an application’s account.
  1. How much is enough? Controls should provide better security without encumbering business processes.
    • Make sure you select a PAM solution that will scale with our business. Pick a vendor that can scale with your organization. A PAM solution may become the cornerstone of your company’s security posture, eventually requiring all IT personnel to engage with it. A great PAM solution will have SDK (Software Development Kits) and APIs (Application Program Interfaces) so that you can extend your investment into the platform to meet the complex requirements of tomorrow.
    • Seek a win-win situation. Security and usability need not always be in conflict. Unlike many other types of security controls, better processes and technologies for privileged access management can offer the business improved productivity and user satisfaction.

In our next blog, we’ll cover the four pivotal conversations you need to have with your stakeholders to help your project succeed.

If you’d like assistance launching a PAM project to help secure your enterprise, contact us. We’ve got the experience and expertise to help build you a solution to meet your privileged account access needs. Contact CyberSheath today! 

 

Major data breaches and an always evolving cybersecurity threat and fraud landscape mean that the financial sector is under constant pressure to keep customer and corporate data safe from hackers.

Last year saw the biggest data breach in UK history with over 20,000 Tesco Bank customers losing money from their accounts. Also in 2016, hackers used hijacked privileged credentials to steal $81 million from vulnerable customer accounts at The Bangladesh Central Bank.

It’s a tough cybersecurity landscape out there – and financial institutions need to stay ahead of hackers. Cybersecurity leaders recently gathered at the SWIFT Business Forum in London to discuss the challenges faced by banks including:

  • Changes in targets and tactics – JF Legault, cybersecurity global head at JP Morgan, spoke about the changing nature of cybersecurity threats stating, “We saw the advent of malware targeting wholesale banking platforms. Criminals stopped going after simple, low-value monetary amounts and shifted to high-value payment platforms. The reason they did that was a lot more yield on the crime(s) they committed. We also saw a shift toward business email compromise… [and] a high number of breaches affecting the financial sector that led to fraudulent messages.”
  • False positives – Banks are wasting valuable time flagging activities in the anti-money laundering monitoring systems that are not actually fraudulent. These “false positives” take time away from strategic activities. Anthony Fenwick, global head of treasury and trade solutions and AML compliance at Citi Group, pointed out, “Our biggest problem in this industry is false positives…the use of electronics and AI have to go hand-in-hand with the best humans. The idea that we remove all human activity from this process misses the point of what we are trying to do.”
  • Insider threats – Regional vice-president for UK, Ireland, and Northern Europe at CyberArk, Matt Middleton-Leal, underlined that banks most fear attacks that hide behind insider privileges. “They allow cybercriminals to appear as legitimate users, giving them unprecedented freedom to work their way up to their most valuable financial assets.” Gottfried Leibbrandt, CEO at the financial messaging vendor SWIFT chimed in that, bank customers “will always be the weakest link, but at the same time the response should not be ‘let’s fix the weakest link’ but you have to take an end-to-end view.”
  • Consumer-friendly usability – According to Royce Curtin, managing director of global intelligence at Barclays, big breach is a huge concern, but that must be balanced with providing customers with solutions that want to use. “We work very hard and take very seriously the responsibility of building systems and trust for services that people feel comfortable using.”

How Banks Can Overcome These Issues

  • Improved communication – Better communication and intelligence sharing at financial institutions is a good first step toward building a more robust cybersecurity program.
  • Multiple-layered security – Concentrating on multiple-layered security also helps safeguard valuable bank information.
  • Actionable insights – Many banks are looking for intelligence that can be quickly turned into an effective response, especially when it comes to landscapes where breaches are more likely to occur. Create actionable intelligence inside the banks and publish it out. Take a strategic view and identify suspicious behaviors (i.e. here is a set of accounts and a volume of transactions that we should be mindful of) so that proper security alerts and timely, effective responses can be undertaken.

How CyberSheath Can Help

CyberSheath can help companies in the financial sector address many of these issues with security consulting services and expert guidance. We provide Privilege Account Management, which provides strong protection inside the perimeter, security assessments, and best practices recommendations based on experience solving security-related problems for major financial clients. Contact us for your FREE security assessment.

Chances are if you are involved in maintaining your organization’s cybersecurity, you’ve had more than a few sleepless nights after hearing the disastrous consequences of another entity’s breach. This story is no different.

DNS Hijack and Extremely Well-executed Spoofed Sites Fool Bank Customers

Earlier this month, the security firm Kaspersky detailed the wholesale takeover of a yet unnamed bank in Brazil. The attack itself was a quintessential DNS hijack where the attackers took over several of the bank’s domains. For a period of five hours, customers were directed by NIC.br (the company that manages the bank’s DNS service and, incidentally, the domain registrar for the Brazilian top-level domain, .br) to spoofed versions of the bank’s legitimate sites. The spoofed sites were reportedly near perfect down to having their own valid SSL issued in the name of the bank.

Hackers Obtained SSL Certificate for Rogue Sites

After they could exercise control over the domain, the attackers applied for an SSL certificate from the non-profit certificate authority Let’s Encrypt. In an interview with Wired.com, Josh Aas, founder of Let’s Encrypt, states that entities are issued certificates when they can properly demonstrate control of a domain – which in this case the attackers were able to do.

Per the Let’s Encrypt website (letsencrypt.org), the company only offers domain validation (DV) certificates which are sufficient for HTTPS. Kaspersky’s ThreatPost write-up of this incident revealed that the certificates were issued the day before the spoofed sites went live, suggesting that the attackers could exercise a level of control over the bank’s domains in the days leading up to the attack.

Countless Bank Customers Duped into Providing Account Details

These days, consumers are much savvier regarding how, when, and where they share their confidential information. With the HTTPS designation and the seemingly identical spoofed sites, a large number of bank customers were tricked into providing their account details on the spoofed sites.

How to Make it More Difficult for Attackers to Infiltrate Your Organization

There are several lessons to learn from this hack. First of all, it is important for organizations to work to stay ahead of hacker tactics. Perhaps if the bank in Brazil had followed the tips listed below, the bank and its customers would have been protected from a breach.

  1. Include external accounts in your privilege access management strategy. When identifying privileged accounts in your organization include internal accounts as well as external accounts that could pose a risk to your organization. Locking down internal root and administrator accounts is not sufficient. Privilege access management must include all accounts that provide elevated access or could impact your organization’s system or reputation, including those for your social media presence; or in the bank’s case, the organization’s DNS service provider. If the affected bank had included their NIC.br account in their privileged access management solution, they may have been able to prevent this attack.
  2. Rotate passwords frequently both in your organization and with your personal accounts. Also, two-factor authentication should be used when possible. Had this bank rotated the password more frequently, there is the possibility they may have been able to protect themselves from this attack. If the password for their account at NIC.br changed frequently, the attackers would have needed to compromise it each time.
  3. Get organization validation (OV) or extended validation (EV) certificates when appropriate for your organization. Certificates are not created equally. In this case Let’s Encrypt offers Domain Validation (DV) certificates, not OV or EV certificates. To the general public the nuanced difference between these is likely lost especially when their browser simply displays a site as “secure”, but the reality is theses certificates have significant differences. OV and EV certificates offering more validation and provide more trust.

Don’t let a hack happen to you. Contact Cybersheath to learn more about our recommendations for safeguarding your organization. Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

Source: https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/

Source: https://threatpost.com/lessons-from-top-to-bottom-compromise-of-brazilian-bank/124770/

 

 

As part of an ongoing series on using privileged account management solutions to meet DFARS requirements, CyberSheath’s security consultants have explored technical controls in great detail, providing readers with real-world applications that make a meaningful impact. This week CyberSheath continues to explore NIST control 800-171, “separate the duties of individuals to reduce the risk of malevolent activity without collusion”.

Privileged account management solutions are valuable tools to meet the following NIST 800-171 controls:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged ac